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Authors' Abstract 



Traditional methods for specifying and reasoning about concurrent systems work 
for real-time systems. Using TLA (the temporal logic of actions), we illustrate 
how they work with the examples of a queue and of a mutual-exclusion protocol. 
In general, two problems must be addressed: avoiding the real-time programming 
version of Zeno's paradox, and coping with circularities when composing real-time 
assumption/guarantee specifications. Their solutions rest on properties of machine 
closure and realizability. 
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1 Introduction 



A new class of systems is often viewed as an opportunity to invent a new semantics. 
A number of years ago, the new class was distributed systems. More recently, 
it has been real-time systems. The proliferation of new semantics may be fun 
for semanticists, but developing a practical method for reasoning formally about 
systems is a lot of work. It would be unfortunate if every new class of systems 
required inventing new semantics, along with proof rules, languages, and tools. 

Fortunately, no fundamental change to the old methods for specifying and reasoning 
about systems is needed for these new classes. It has long been known that the 
methods originally developed for shared-memory multiprocessing apply equally 
well to distributed systems [7, 11]. The first application we have seen of a clearly 
"off-the-shelf method to a real-time algorithm was in 1983 [16], but there were 
probably earlier ones. Indeed, the "extension" of an existing temporal logic to real- 
time programs by Bernstein and Harter in 1981 [6] can be viewed as an application 
of that logic. 

The old-fashioned methods handle real time by introducing a variable, which we 
call now, to represent time. This idea is so simple and obvious that it seems hardly 
worth writing about, except that few people appear to be aware that it works in 
practice. We therefore describe how to apply a conventional method to real-time 
systems. 

Any formalism for reasoning about concurrent programs can be used to prove 
properties of real-time systems. However, in a conventional formalism based on 
a programming language, real-time assumptions are expressed by adding program 
operations that read and modify the variable now. The result can be a complicated 
program that is hard to understand and easy to get wrong. We take as our formalism 
TLA, the temporal logic of actions [13]. In TLA, programs and properties are rep- 
resented as logical formulas. A real-time program can be written as the conjunction 
of its untimed version, expressed in a standard way as a TLA formula, and its timing 
assumptions, expressed in terms of a few standard parameterized formulas. This 
separate specification of timing properties makes real-time specifications easier to 
write and understand. 

The method is illustrated with two examples. The first is a queue in which the 
sender and receiver synchronize by the use of timing assumptions instead of ac- 
knowledgements. We indicate how safety and liveness properties of the queue 
can be proved. The second example is an n -process mutual exclusion protocol, in 
which mutual exclusion depends on assumptions about the length of time taken by 



1 



the operations. Its correctness is proved by a conventional invariance argument. 

We also discuss two problems that arise when time is represented as a program 
variable — ^problems that seem to have received Uttle attention — and present new 
solutions. The solutions are expressed in terms of TLA, but they can be applied to 
any formalism whose semantics is based on sequences of states or actions. 

The first problem is how to avoid the real-time programming version of Zeno's 
paradox. If time becomes an ordinary program variable, then one can inadvertently 
write programs in which time behaves improperly. An obvious danger is deadlock, 
where time stops. A more insidious possibility is that time keeps advancing but 
is bounded, approaching closer and closer to some limit. One way to avoid such 
"Zeno" behaviors is to place an a priori lower bound on the duration of any action, 
but this can complicate the representation of some systems. We provide a more 
general and, we feel, a more natural solution. 

The second problem is coping with the circularity that arises in open system spec- 
ifications. The specification of an open system asserts that it operates correctly 
under some assumptions on the system's environment. A modular specification 
method requires a rule asserting that, if each component satisfies its specification, 
then it behaves correctly in concert with other components. This rule is circu- 
lar, because a component's specification requires only that it behave correctly if 
its environment does, and its environment consists of all the other components. 
Despite its circularity, the rule is sound for specifications written in a particular 
style [I, 15, 17]. By examining an apparently paradoxical example, we discover 
how real-time specifications of open systems can be written in this style. 

2 Closed Systems 

We briefly review how to represent closed systems in TLA. A closed system is 
one that is self-contained and does not communicate with an environment. No 
one intentionally designs autistic systems; in a closed system, the enviroimient is 
represented as part of the system. Open systems, in which the enviroimient and 
system are separated, are discussed in Section 4. 

We begin our review of TLA with an example. Section 2.2 summarizes the formal 
definitions. A more leisurely exposition appears in [13], and most definitions in 
the current paper are repeated in a list in the appendix. Section 2.3 reviews the 
concepts of safety [4] and machine closure [2] (also known as feasibility [5]) and 
relates them to TLA, and Section 2.4 defines a useful class of history variables [2]. 
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Figure 1 : A simple queue. 





Propositions and theorems are proved in the appendix. 
2.1 The Lossy-Queue Example 

We introduce TLA with the example of the lossy queue shown in Figure 1 . The 
interface consists of two pairs of "wires", each pair consisting of a val wire that 
holds a message and a boolean-valued bit wire. A message m is sent over a pair 
of wires by setting the val wire to m and complementing the bit wire. Input to 
the queue arrives on the wire pair (ival, ibit), and output is sent on the wire pair 
{oval, obit). There is no acknowledgment protocol, so inputs are lost if they arrive 
faster than the queue processes them. The property guaranteed by this lossy queue 
is that the sequence of output messages is a subsequence of the sequence of input 
messages. In Section 3.1, we add timing constraints to rule out the possibility of 
lost messages. 

A specification is a TLA formula n describing a set of allowed behaviors. A 
property P is also a TLA formula. The specification FT satisfies property P iff 
(if and only if) every behavior allowed by FT is also allowed by P — ^that is, if FT 
implies P. Similarly, a specification implements n iff every behavior allowed 
by ^ is also allowed by 11, so implementation means implication. 

The specification of the lossy queue is a TLA formula that mentions the four 
variables ibit, obit, ival, and oval, as well as two internal variables: q, which 
equals the sequence of messages received but not yet output; and last, which 
equals the value of ibit for the last received message. (The variable last is used 
to prevent the same message from being received twice.) These six variables are 
flexible variables; their values can change during a behavior. We also introduce 
a rigid variable Msg denoting the set of possible messages; it has the same value 
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InitQ — A ibit, obit e {true, false} 

A ival, oval e Msg 
A last = ibit 

^q = ((» 

Inp — A ibit' — -^ibit 
A ivai: e Msg 

A {obit, oval, q, last)' — {obit, oval, q, last) 

EnQ = A last ^ ibit 

A q' = q o ((ival)) 
A last' — ibit 

A (ibit, obit, ival, oval)' = {ibit, obit, ival, oval) 

DeQ = Aq^p 

A oval' — Head{q) 
A q' — Tail{q) 
A obit' = —'obit 

A {ibit, ival, last)' — (ibit, ival, last) 
Nq = Inp V EnQ V DeQ 
V = {ibit, obit, ival, oval, q, last) 
TIq 4 InitQ A □[A/'e]„ 
= 3^, last : TIq 



Figure 2: The TLA specification of a lossy queue. 

throughout a behavior. We usually refer to flexible variables simply as variables, 

and to rigid variables as constants. 

The TLA specification is shown in Figure 2, using the following notation. A 
list of formulas, each prefaced by A, denotes the conjunction of the formulas, 
and indentation is used to eliminate parentheses. The expression (( )) denotes the 
empty sequence, ((m )) denotes the singleton sequence having m as its one element, o 
denotes concatenation, Head{o) denotes the first element of o, and Tail{a) denotes 
the sequence obtained by removing the first element of a. The symbol = means is 
defined to equal. 

The first definition is of the predicate InitQ, which describes the initial state. This 
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predicate asserts that the values of variables ibit and obit are arbitrary booleans, the 
values of ival and oval are elements of Msg, the values of last and ibit are equal, 
and the value of q is the empty sequence. 

Next is defined the action Inp, which describes all state changes that represent the 
sending of an input message. (Since this is the specification of a closed system, it 
includes the environment's Inp action.) The first conjunct, ibif — —'ibit, asserts that 
the new value of ibit equals the complement of its old value. The second conjunct 
asserts that the new value of ival is an element of Msg. The third conjunct asserts 
that the value of the four-tuple {obit, oval, q, last) is unchanged; it is equivalent to 
the assertion that the value of each of the four variables obit, oval, q, and last is 
unchanged. The action Inp is always enabled, meaning that, in any state, a new 
input message can be sent. 

Action EnQ represents the receipt of a message by the system. The first conjunct 
asserts that last is not equal to ibit, so the message on the input wire has not yet been 
received. The second conjunct asserts that the new value of q equals the sequence 
obtained by concatenating the old value of ival to the end of q 's old value. The third 
conjunct asserts that the new value of last equals the old value of ibit. The final 
conjunct asserts that the values of ibit, obit, ival, and oval are unchanged. Action 
EnQ is enabled in a state iff the values of last and ibit in that state are unequal. 

The action DeQ represents the operation of removing a message from the head of 
q and sending it on the output wire. It is enabled iff the value of q is not the empty 
sequence. 

The action Mq is the specification's next-state relation. It describes all allowed 
changes to the queue system's variables. Since the only allowed changes are the 
ones described by the actions Inp, EnQ, and DeQ, action Mq is the disjunction of 
those three actions. 

In TLA specifications, it is convenient to give a name to the tuple of all relevant 
variables. Here, we call it v. 

Formula TI g is the internal specification of the lossy queue — ^the formula specifying 
all sequences of values that may be assumed by the queue's six variables, including 
the internal variables q and last. Its first conjunct asserts that Initq is true in the 
initial state. Its second conjunct, □[A^e]„, asserts that every step is either an Mq 
step (a state change allowed by Mq) or else leaves v unchanged, meaning that it 
leaves all six variables unchanged. 

Formula 3>e is the actual specification, in which the internal variables q and last 
have been hidden. A behavior satisfies iff there is some way to assign sequences 
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of values to q and last such that Fig is satisfied. The free variables of are ibit, 
obit, ival, and oval, so <I>q specifies what sequences of values these four variables 
can assume. All the preceding definitions just represent one possible way of 
structuring the definition of <I>q; there are infinitely many ways to write formulas 
that are equivalent to <I>q and are therefore equivalent specifications. 

TLA is an untyped logic; a variable may assume any value. Type correctness is 
expressed by the formula DT, where T is the predicate asserting that all relevant 
variables have values of the expected "types". For the internal queue specification, 
the type-correctness predicate is 

= A ibit, obit, last G {true, false} (1) 
A ival, oval e Msg 
A q e Msg* 

where Msg* is the set of finite sequences of messages. Type correctness of FT g is 
asserted by the formula n g =^ □ Tq, which is easily proved [13]. Type correctness 
of Og follows from n g =^ □ Jg by the usual rules for reasoning about quantifiers. 

Formulas Fig and <I>g are safety properties, meaning that they are satisfied by an 
infinite behavior iff they are satisfied by every finite initial portion of the behav- 
ior. Safety properties allow behaviors in which a system performs properly for a 
while and then the values of all variables are frozen, never to change again. In 
asynchronous systems, such undesirable behaviors are ruled out by a.Admgfairness 
properties. We could strengthen our lossy-queue specification by conjoining the 
weak fairness property WF„(De(2) and the strong fairness property SV^iEnQ) to 
rig, obtaining 

3 q, last: {InitQ A □[A^g],, A We„{DeQ) A SV^{EnQ)) (2) 

Property WPy{DeQ) asserts that if action DeQ is enabled forever, then infinitely 
many DeQ steps must occur. This property implies that every message reaching 
the queue is eventually output. Property SPy{EnQ) asserts that if action EnQ is 
enabled infinitely often, then infinitely many EnQ steps must occur. It implies that 
if infinitely many inputs are sent, then the queue must receive infinitely many of 
them. The formula (2) implies the liveness property [4] that an infinite number of 
inputs produces an infinite number of outputs. This formula also implies the same 
safety properties as <I>g. A formula such as (2), which is the conjunction of an 
initial predicate, a term of the form □ [A\ /, and a fairness property, is said to be in 
canonical form. 
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2.2 The Semantics of TLA 



We begin with some definitions. We assume a set of constant values, and we let 
IF J denote the semantic meaning of a formula F. 

state A mapping from variables to values. We let s.x denote the value that state s 
assigns to variable x. 

state function An expression formed from variables, constants, and operators. 
The meaning of a state function is a mapping from states to values. For 
example, x + 1 is a state function such that [[x + l^(s) equals s.x + 1, for 
any state s. 

predicate A boolean- valued state function, such as x > y + 1. 

transition function An expression formed from variables, primed variables, con- 
stants, and operators. The meaning of a transition function is a mapping from 
pairs of states to values. For example, x -I- y' -I- 1 is a transition function, and 
|[x -I- y' -I- I'iis, t) equals the value s.x -\- t.y -\- 1, for any pair of states s, t. 

action A boolean-valued transition function, such as x > (y' + 1). 

step A pair of states s, t. It is called an A step iff EylK-yi t) equals true, for an 
action A. It is called a stuttering step iff ^ = f. 

/' The transition function obtained from the state function / by priming all the 
free variables of /, so [/'K^, t) = [/KO for any states s and t. 

[A]f The action Av (f — /), for any action A and state function /. 

{A) f The action A A (f ^ f), for any action A and state function /. 

Enabled A For any action A, the predicate such that ^Enabled Aj(s) equals 
3? : t), for any state s. 

Informally, we often identify a formula and its meaning. For example we say that 
a predicate P is true in state s instead of fPJ (s) — true. 

An RTLA (raw TLA) formula is an expression built from actions, classical operators 
(boolean operators and quantification over rigid variables), and the unary temporal 
operator □ . The meaning of an RTLA formula is a boolean- valued function on 
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behaviors, where a behavior is an infinite sequence of states. The meaning of the 
operator □ is defined by 

la FJ(su S2, S3, . . .) = >0:lFJ(s„,s„+i,s„+2,...) 

Intuitively, OF asserts that F is "always" true. The meaning of an action as 
an RTLA formula is defined in terms of its meaning as an action by letting 
[[ylK'^i, S2, sj,, . . .) equal |[ylK'^i> ^2). A predicate P is an action; P is true for 
a behavior iff it is true for the first state of the behavior, and □ P is true iff P is 
true in all states. For any action A and state function /, the formula □ [Ay is true 
for a behavior iff each step is an A step or else leaves / unchanged. The classical 
operators have their usual meanings. 

A TLA formula is one that can be constructed from predicates and formulas □ [A\ / 
using classical operators, □, and existential quantification over flexible variables. 
The semantics of actions, classical operators, and □ are defined as before. The 
approximate meaning of quantification over a flexible variable is that 3x : F is 
true for a behavior iff there is some sequence of values that can be assigned to x 
that makes F true. The precise definition appears in [13] and is recalled in the 
appendix. As usual, we write 3x\, . . .,x„ : F instead of 3 : . . . , 3 a:„ : F. 

A property is a set of behaviors that is invariant under stuttering, meaning that 
it contains a behavior a iff it contains every behavior obtained from o by adding 
and/or removing stuttering steps. The set of all behaviors satisfying a TLA formula 
is a property, which we often identify with the formula. 

For any TLA formula F, action A, and state function /: 
OF 4 ^U^F 

WPf{A) = aO^(Enabled (A)f) V aO{A)f 

SFfiA) = Oa^iEnabled {A)f) v □0(^)/ 

These are TLA formulas, since 0(yl)/ equals -■□[-■yl]/. 
2.3 Safety and Fairness 

A finite behavior is a finite sequence of states. We say that a finite behavior satisfies 
a property F iff it can be continued to an infinite behavior in F. A property F is 
a safety property [4] iff the following condition holds: F contains a behavior iff 
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it is satisfied by every finite prefix of tlie beliavior. ' Intuitively, a safety property 
asserts that something "bad" does not happen. Predicates and formulas of the form 
□ [yl]/ are safety properties. 

Safety properties form the closed sets for a topology on the set of all behaviors. 

Hence, if two TLA formulas F and G are safety properties, then F A G is also a 
safety property. The closure C (F) of a property F is the smallest safety property 
containing F. It can be shown that C(F) is expressible in TLA, for any TLA 
formula F. 

If n is a safety property and L an arbitrary property, then the pair (TI , L) is machine 
closed iff every finite behavior satisfying n can be extended to an infinite behavior 
in n A L. Proposition 1 below shows that machine closure generalizes the concept 
of fairness. The canonical form for a TLA formula is 

3x : (Init A □[A/']„ A L) (3) 

where (Init A □ [Af]^, L) is machine closed and x is a tuple of variables called the 
internal variables of the formula. The state function v will usually be the tuple 
of all variables appearing free in Init, M, and L (including the variables of x). 
A behavior satisfies (3) iff there is some way of choosing values for x such that 
(a) Init is true in the initial state, (b) every step is either an M step or leaves all the 
variables in v unchanged, and (c) the entire behavior satisfies L. 

An action A is said to be a subaction of a safety property O iff for every finite 
behavior , . . . , s„ satisfying n with Enabled A true in state 5„, there exists a state 
Sn+ 1 such that , 5„+ 1 ) is an step and ,...,*„+ 1 satisfies IT . By this definition, 
is a subaction of Init A □ [A/^]„ iff^ 

Init A □[A/']„ =^ ^{{Enabled A) =^ Enabled (A A [Af]J) 

Two actions A and B are disjoint for a safety property 11 iff no behavior satisfying 
n contains sxiAaB step. By this definition, A and B are disjoint for Init A □ [Af]y 
iff 

Init A □[A/']„ a-.Enabled (AaB A [A/']J 

The following result shows that the conjunction of WF and SF formulas is a fairness 
property. It is a special case of Proposition 4 of Section 4. 

'One sometimes defines Si, . .. ,Sn to satisfy F iff the behavior si, . .. ,Sn, s^, ... is in F. 
Since properties arc invariant under stuttering, this alternative definition leads to the same definition 
of a safety property. 

^We let have lower precedence than the other boolean operators. 
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Proposition 1 If Yl is a safety property and L is the conjunction of a finite or 
countably infinite number of formulas of the form WF^, {A) and/or SF„, {A) such 
that each {A)u) is a subaction ofTl, then (H, L) is machine closed. 

In practice, each w will usually be a tuple of variables changed by the corresponding 
action A, so {A)w will equal A.^ In the informal exposition, we often omit the 
subscript and talk about A when we really mean {A)^. 

Machine closure for more general classes of properties can be proved with the 
following two propositions, which are proved in the appendix. To apply the first, 
one must prove that 3x : n is a safety property. By Proposition 2 of [2, page 265], 
it suffices to prove that IT has finite internal nondeterminism (fin), with x as its 
internal state component. Here, fin means roughly that there are only a finite 
number of sequences of values for x that can make a finite behavior satisfy n. 

Proposition 2 If (Yl, L) is machine closed, x is a tuple of variables that do not 
occur free in L, and 3x : Tl is a safety property, then {{^x : IT), L) is machine 
closed. 

Proposition 3 Tjf (11, Li) is machine closed and n A Li implies L2, then (11, L2) 
is machine closed. 

2.4 History-Determined Variables 

A history-determined variable is one whose current value can be inferred from the 
current and past values of other variables. For the precise definition, let 

Hist{h,fg,v) - {h = f) A mh' ^ g) A iv' ^ V)\,,,) (4) 

where / and v are state functions and g is a transition function. A variable h is 
a history-determined variable for a formula 11 iff 11 implies Hist(h, f, g,v), for 
some /, g, and v such that h occurs fi-ee in neither / nor v, and h' does not occur 
fi-ee in g. 

If /and u do not depend on /i, and g does not depend on /i', then 3/i : Hist{h, f, g, v) 
is identically true. Therefore, if h does not occur free in formula 3>, then : 
{<^AHist{h, f, g, d)) is equivalent to O. In other words, conjoining//w?(/i, /, g, v) 
to <I> does not change the behavior of its variables, so it makes h a "dummy variable" 
for O — ^in fact, it is a special kind of history variable [2, page 270]. 

'More precisely, TaA will imply w' w, where T is the type-correctness invariant. 
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As an example, we add to the lossy queue's specification <I>e a history variable hin 
that records the sequence of values transmitted on the input wire. Let 

Hin = Ahin=(()) (5) 
A □[ A hin = hin o {{ival')) 

A (ival, ibit)' 7^ (ival, ibit) \hin,ivai,ibit) 

Then Hi„ equals Hist(hin, {{)) , hino{{ival')) , (ival, /Zj/f)), so /z/n is a history-determined 
variable for A and 3 hin : (Og A //,„) equals Og. 

If /i is a history-determined variable for a property IT, then FT is fin, with h as its 
internal state component. Hence, if FT is a safety property, then 3/i : FT is also a 
safety property. 

3 Real-Time Closed Systems 

We now use TLA to specify and reason about timing properties of closed systems. 
Section 3.1 explains how time and timing properties can be represented with TLA 
formulas, and Section 3.2 describes how to reason about these formulas. The prob- 
lem of Zeno specifications is addressed in Section 3.3. Our method of specifying 
and reasoning about timing properties is illustrated in Section 3.4 with the example 
of a real-time mutual exclusion protocol. 

3.1 Time and Timers 

In real-time TLA specifications, real time is represented by the variable now. 
Although it has a special interpretation, now is just an ordinary variable of the 
logic. The value of now is always a real number, and it never decreases — conditions 
expressed by the TLA formula 

RT = (now e R) A □ [now' e (now, oo)]„ow 

where R is the set of real numbers and (r, 00) is [t eR: t > r}. 

It is convenient to make time-advancing steps distinct from ordinary program steps. 
This is done by strengthening the formula RT to 

RTy = (now e R) A □[(now/ e (now, 00)) a (v' — v)]„ow 
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This property differs from RT only in asserting that v does not change when now 
advances. Simple logical manipulation shows that RT^ is equivalent to RT A 
□ [now' — now]y, and 

Init A □ [Af]y A RTy — Init A □ [A/" A {now' — now)]„ A RT 

Real-time constraints are imposed by using timers to restrict the increase of now. 
A timer for n is a state function t such that 11 implies e R U {±00}). Timer / 
is used as an upper-bound timer by conjoining the formula 

MaxTime(t) = (now < t) A □[now' < t']„ow 

to a specification. This formula asserts that now is never advanced past t. Timer t 
is used as a lower-bound timer for an action A by conjoining the formula 

MinTime(t,A,v) = a[A ^ (t < now)]„ 

to a specification. This formula asserts that an {A)^ step cannot occur when now is 
less than t.^ 

A common type of timing constraint asserts that an A step must occur within S 

seconds of when the action A becomes enabled, for some constant 8. After an A 
step, the next A step must occur within 8 seconds of when action A is re-enabled. 
There are at least two reasonable interpretations of this requirement. 

The first interpretation is that the A step must occur if A has been continuously 
enabled for S seconds. This is expressed by MaxTime{t) when ? is a state function 
satisfying 

Vlimerit, A,S,v) = A t — if Enabled {A)y then now -\- S 

else 00 

A □[A t' ^ if (Enabled {A)^)' 

then if {A)y v --Enabled {A)y 
then now + S 
else t 

else 00 

A V' J^V \t,v) 

''Unlike the usual timers in computer systems that represent an increment of time, our timers 
represent an absolute time. To allow the type of strict time bound that would be expressed by 
replacing < with < in the definition of MaxTime or MiriTime, we could introduce, as additional 
possible values for timers, the set of all "infinitesimally shifted" real numbers r", where f < r~ iff 
t < r, for any reals t and r. 
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Such a f is called a volatile S-timer. 



Another interpretation of the timing requirement is that an A step must occur if 
A has been enabled for a total of S seconds, though not necessarily continuously 
enabled. This is expressed by MaxTime{t) when t satisfies 

PTimer(t, A, 8, v) = At— now + 8 

A □[A t' = if Enabled (A)y 

then if then now + S 

else t 
else t + (now' — now) 
A (v, now)' + (f, now) ]((,„,„ow) 

Such a ? is called a persistent 8 -timer. We can use 6 -timers as lower-bound timers 
as well as upper-bound timers. 

Observe that Vr/mer(f , A, 8, v) has the form. Hist(t , f, g,v) mdtha.tPTimer(t , A,8,v) 
has the form Hist{t, f, g, (v, now)), where Hist is defined by (4). Thus, if formula 
n implies that a variable t satisfies either of these formulas, then t is a history- 
determined variable for 11. 

As an example of the use of timers, we make the lossy queue of Section 2. 1 nonlossy 
by adding the following timing constraints. 

• Values must be put on a wire at most once every S^nd seconds. There are 
two conditions — one on the input wire and one on the output wire. They are 
expressed by using ^OTrf-timers tjnp and toeQ, for the actions Inp and DeQ, as 
lower-bound timers. 

• A value must be added to the queue at most A^^v seconds after it appears on 
the input wire. This is expressed by using a A^cv-timer TsnQ, for the enqueue 
action, as an upper-bound timer. 

• A value must be sent on the output wire within A^n^ seconds of when it 
reaches the head of the queue. This is expressed by using a A^n^-timer ToeQ, 
for the dequeue action, as an upper-bound timer. 

The timed queue will be nonlossy if A^cv < 8snd- In this case, we expect the Inp, 
EnQ, and DeQ actions to remain enabled until they are "executed", so it doesn't 
matter whether we use volatile or persistent timers. We use volatile timers because 
they are a little easier to reason about. 



13 



The timed version Wq of the queue's internal specification Ilg is obtained by 
conjoining the timing constraints to ITg: 

n'g = aUq A RT, (6) 
A VTimeritinp, Inp, Ssnd, v) A MinTime{tinp, Inp, v) 
A VTimer(tDeQ, DeQ, Ssnd, v) A MinTime(tDeQ, DeQ, v) 
A VTimer(TEnQ, EnQ, A^v, v) A MaxTime(TEnQ) 
A VTimeriToeQ, DeQ, A^nd, v) a MaxTime{TDeQ) 

The external specification (^'q of the timed queue is obtained by existentially 
quantifying first the timers and then the variables q and last. 

Formula 11 g of (6) is not in the canonical form for a TLA formula. A straightforward 
calculation, using the type-correctness invariant (1) and the equivalence of (□ F) A 
(□G) and U{F A G), converts the expression (6) for Ilg to the canonical form 
given in Figure 3.^ Observe how each subaction A of the original formula has a 
corresponding timed version A' . Action A' is obtained by conjoining A with the 
appropriate relations between the old and new values of the timers. If A has a 
lower-bound timer, then A' also has a conjunct asserting that it is not enabled when 
now is less than this timer. (The lower-bound timer tinp for Inp does not affect the 
enabling of other subactions because Inp is disjoint from all other subactions; a 
similar remark applies to the lower-bound timer toeQ-) There is also a new action, 
QTick, that advances now. 

Formula ITg is the TLA specification of a program that satisfies each maximum- 
delay constraint by preventing now from advancing before the constraint has been 
satisfied. Thus, the program "implements" timing constraints by stopping time, an 
apparent absurdity. However, the absurdity results from thinking of a TLA formula, 
or the abstract program that it represents, as a prescription of how something is 
accomplished. A TLA formula is really a description of what is supposed to happen. 
Formula O g says only that an action occurs before now reaches a certain value. It 
is just our familiarity with ordinary programs that makes us jump to the conclusion 
that now is being changed by the system. 

3.2 Reasoning About Time 

Formula n g is a safety property; it is satisfied by a behavior in which no variables 
change values. In particular, it allows behaviors in which time stops. We can rule 

^Further simplification of tliis formula is possible, but it requires an invariant. In particular, the 
fourth conjunct of Z)e(2' can be replaced by Tg^o = TfinQ- 
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Ini^Q = A InitQ 

A now € R 

A tinp = nOW + Ssnd 

A toeQ = TehQ = TdcQ = OO 

Inp' = A Inp 

A tinp < now 

A Tg^Q = if Za5f' 7^ ibif then now' + A^v else oo 

A (tDc'Q, ToeQ)' = if ^ = (( )) then (oo, oo) else {toeQ, Tdcq) 

A now' — now 

EnQ' = A 

A {toeQ, Tdcq)' — if ? = (( )) then {now + 5i„^, now + A^„^) 

else tee!2> Tbeg) 

A {tinp, now)' — {tinp, now) 
DeQ = A DeQ 

A tDeQ < «OW 

A feeQ, ToeQ)' = if ^' = (( )) then (oo, oo) 

else {now + bsnd, now + A^nj) 
A T^^Q = if /ai'f' = ibif then oo else Te„q 
A (ffop, now)' ^ {tinp, now) 

QTick = A now' G (now, min(Jbeg, TsnQ)] 

A (t), f/„p, fDeg' ^Oeg' '^Ehq)' = {v, tinp, tOeQ, ToeQ, Tehq) 

Vt = (V, now, tinp, tOeQ, ToeQ, Tehq) 

TI'q = A Init'g 

A a[Inp' V EnQ' V DeQ' V QTick^ 



Figure 3: The canonical form for Wq, where (r, s] denotes the set of reals u such 
that r <u < s. 
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out such behaviors by conjoining to Wq the liveness property 

NZ 4 V? e R : 0(now > t) 

which asserts that now gets arbitrarily large. However, when reasoning only about 
real-time properties, this is not necessary. For example, suppose we want to 
show that our timed queue satisfies a real-time property expressed by formula ^I'', 
which is also a safety property. If TI'q implies , then O g A NZ implies A NZ. 
Conversely, we don't expect conjoining a liveness property to add safety properties; 
if TI'q a NZ implies *^ then TI'q by itself should imply ^' — a point discussed in 
Section 3.3 below. Hence, there is no need to introduce the liveness property NZ. 

A safety property we might want to prove for the timed queue is that it does not 
lose any inputs. To express this property, let hin be the history variable, determined 
by Hin of (5), that records the sequence of input values; and let hout and Hout be 
the analogous history variable and property for the outputs. The assertion that the 
timed queue loses no inputs is expressed by 

TI'q A Hin A Hout ^ a{hout<hinp) 

where a ^ j6 iff a is an initial prefix of j6. This is a standard invariance property. 
The usual method for proving such properties leads to the following invariant 

A Tq A {tinp, now G R) A {jEnQ, toeQ, ToeQ G R U {oo}) 

A now < min(TEnQ, Toeo) 

A (last — ibit) (TsnQ — oo) A (hinp — hout o q) 

A (last ^ ibit) ^ (TsnQ < tinp) A (hinp — houtoq o {{ival))) 

A = (())) = (ToeQ^OO) 

and to the necessary assumption A^cv < ^md- (Recall that is the type-correctness 
predicate (1) for Hg.) 

Property NZ is needed to prove that real-time properties imply liveness properties. 

The desired liveness property for the timed queue is that the sequence of input 
messages up to any point eventually appears as the sequence of output messages. 
It is expressed by 

n'g A A^Z =^ Vcr : U((hinp = cr) <>(hout = o)) 

This formula is proved by first showing 

TI'qANZ ^ WF, (EnQ) aWF, (DeQ) (7) 
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and then using a standard liveness argument to prove 

n'g AWF„(£n0 A WF„(£)e0 ^ Vcr : a((hinp = a) ^ OQiout^a)) 

The proof that YVq a NZ implies WFi,(£w2) is by contradiction. Assume EnQ is 
forever enabled but never occurs. An invariance argument then shows that Fig 
implies that Tehq forever equals its current value, preventing now from advancing 
past that value; and this contradicts NZ. The proof that TVq aNZ implies WF„ (DeQ) 
is similar. 

3.3 The NonZeno Condition 

The timed queue specification ITg asserts that a DeQ action must occur between 
Ssnd and Asnd seconds of when it becomes enabled. What if A^nd < ^snd^ If an 
input occurs, it eventually is put in the queue, enabling DeQ. At that point, the 
value of now can never become more than A^^; greater than its current value, so 
the program eventually reaches a "time-blocked state". In a time-blocked state, 
only the QTick action can be enabled, and it cannot advance now past some fixed 
time. In other words, eventually a state is reached in which every variable other 
than now remains the same, and now either remains the same or keeps advancing 
closer and closer to some upper bound. 

We can attempt to correct such pathological specifications by requiring that now 
increase without bound. This is easily done by conjoining the liveness property NZ 
to the safety property IT g, but that doesn't accomplish anything. Since IT g A NZ 
rules out behaviors in which now is bounded, it allows only behaviors in which 
there is no input, if Agnd < ^snd- Such a specification is no better than the original 
specification TVq . The fact that the safety property allows the possibility of reaching 
a time-blocked state indicates an error in the specification. One does not add timing 
constraints on output actions with the intention of forbidding input. 

We call a safety property Zeno if it allows the system to reach a state from which 
now must remain bounded. More precisely, a safety property 11 is nonZeno iff every 
finite behavior satisfying FT can be completed to an infinite behavior satisfying FT 
in which now increases without bound. In other words. Ft is nonZeno iff the pair 
(n, NZ) is machine closed.^ 

Zeno specifications can be a source of incompleteness for proof methods. Only 
nonZeno behaviors are physically meaningful, so a real-time system with specifi- 

*An arbitrary property n is nonZeno iff (C(n), n A NZ) is machine closed. We restrict our 
attention to real-time constraints for safety specifications. 
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cation n satisfies a property if n A NZ =^ Most methods for proving safety 
properties use only safety properties as hypotheses, so they can prove n aNZ ^ 
for safety properties n and * only by proving IT =>■ NonZenoness of n means 
that n aNZ ^ ^ holds iff 11 ^ * does. However, if 11 is Zeno, then 11 aNZ ^ 
could hold even though n ^ ^I* does not, and these methods will be unable to 
prove that the system with specification IT satisfies NonZenoness is therefore 
required for completeness. 

The following result can be used to ensure that a real-time specification written in 
terms of volatile (5-timers is nonZeno. 

Theorem 1 Let v be the tuple of variables free in Init or M . The property 
Ainit A □[A/']„ A/?r„ 

A V/ G / : VTimer(ti, Ai, Si, v) A MinTime(ti, Ai, v) 
AWj e J : VTimer(Tj, Aj, Aj,v) A MaxTime(Tj) 

is nonZeno if now does not appear in v, I and J are finite sets, and for all i e I 
and j e J: 

1. {Aj)^ is a subaction of Init A □[A/']„ whose free variables appear in v, 

2. {Ai)y and {Aj)y are disjoint for Init A □[A/']„ ifi ^ j, 

3. Si and Aj are positive reals and, ifi — j, then Si < Aj, 

4. the ti and Tj are distinct variables different from now and from the variables 
in V. 

We can apply the theorem to prove that the specification Ilg is nonZeno if Ss„d < 
Asnd- The hypotheses of the theorem are checked as follows. 

1. Actions {DeQ)y and {EnQ)y imply A/q, so they are subactions of Tig. 

2. The conjunction of any two of the actions {Inp)^, {DeQ)y, said (fin^^ equals 
false, so the actions are pairwise disjoint for Ilg.^ 

3. The hypothesis Ssnd < ^snd is used here. 

^Actually, the type-correctness predicate Tq is needed to prove that {Inp)^ a (DeQ)^ equals 
false. 
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4. Trivial. 



The theorem is valid for persistent as well as volatile timers. Any combination 
of VTimer and PTimer formulas may occur, except that a single Ak cannot have a 
persistent lower-bound timer tk and a volatile upper-bound timer T^. All of these 
results are corollaries of the following theorem, which in turn is a consequence of 
Theorem 4 of Section 4. 

Theorem 2 Let 

• Tlbe a safety property of the form Init A □ [Af]^, 

• ti and Tj be timers for Yl and let Ak be an action, for all i € I, j € J, and 
k £ I U J, where I and J are sets, with J finite, 

• TV 4 n ART, A 

"ii e I : MinTimeifi, At, v) A ^ j e J : MaxTime(Tj) 

If 1. {Ai), and {Aj), are disjoint for H, for all i € / and j e J with 
i # j, 

now 

2. (a) does not occur free in v, 

(b) (now' — r) A (v' — v) is a subaction of Tl, for all r € R, 

3. for all j e J: 

(a) {Aj)v A (noW — now) is a subaction of Tl. 

(b) n =^ VTimeriTj, Aj, Aj, v), or 

n ^ PTimer(Tj, Aj, Aj, v), where Aj e (0, oo), 

(c) W =^ U{Enabled {Aj), = 

Enabled {{Aj), a {now' — now))) 

(d) {v' = v) ^ {Enabled {Aj), — {Enabled {Aj),)') 

4. W ^ n{tk < Tk),forallk e I f) J, 
then {YV , NZ) is machine closed 

Most nonaxiomatic approaches, including both real-time process algebras and more 
traditional programming languages with timing constraints, essentially use S-timers 
for actions. Theorem 2 implies that they automatically yield nonZeno specifica- 
tions. 
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Theorem 2 can be further generalized in two ways. First, J can be infinite — ^if IT' 
implies that only a finite number of actions Aj with j e J sire enabled before time 
r, for any r € R. For example, by letting Aj be the action that sends message 
number j , we can apply the theorem to a program that sends messages number 1 
through n at time n, for every integer n. This program is nonZeno even though 
the number of actions per second that it performs is unbounded. Second, we can 
extend the theorem to the more general class of timers obtained by letting the 
be arbitrary real-valued state functions, rather than just constants — ^if all the are 
bounded from below by a positive constant A. 

Theorem 2 can be proved using Propositions 1 and 3 and ordinary TLA reasoning. 
By these propositions, it suffices to display a formula L that is the conjunction of 
fairness conditions on subactions of Tl' such that Tl' A L implies NZ. A suitable L 
is WF(„ovv.i.)(C), where C is an action that either (a) advances now by min^g / Aj if 
allowed by the upper-bound timers 7) , or else as far as they do allow, or (b) executes 
an {Aj)v action for which now — 7). The proof in the appendix of Theorem 4, 
which impUes Theorem 2, generahzes this approach. 

Theorem 2 does not cover all situations of interest. For example, one can require 

of our timed queue that the first value appear on the output line within e seconds 
of when it is placed on the input line. This effectively places an upper bound on 
the sum of the times needed for performing the EnQ and DeQ actions; it cannot be 
expressed with ^-timers on individual actions. For these general timing constraints, 
nonZenoness must be proved for the individual specification. The proof uses the 
method described above for proving Theorem 2: we add to the timed program Tl' 
a liveness property L that is the conjunction of any fairness properties we like, 
including fairness of the action that advances now, and prove that Tl' A L implies 
NZ. NonZenoness then follows from Propositions 1 and 3. 

There is another possible approach to proving nonZenoness. One can make granu- 
larity assumptions — lower bounds both on the amount by which now is incremented 
and on the minimum delay for each action. Under these assumptions, nonZenoness 
is equivalent to the absence of deadlock, which can be proved by existing methods. 
Granularity assumptions are probably adequate — after all, what harm can come 
from pretending that nothing happens in less than 10"'"° nanoseconds? However, 
they can be unnatural and cumbersome. For example, distributed algorithms often 
assume that only message delays are significant, so the time required for local 
actions is ignored. The specification of such an algorithm should place no lower 
bound on the time required for a local action, but that would violate any granularity 
assumptions. We believe that any proof of deadlock freedom based on granularity 



20 



can be translated into a proof of nonZenoness using the method outlined above. 

So far, we have been discussing nonZenoness of the internal specification, where 
both the timers and the system's internal variables are visible. Timers are defined 
by adding history-determined variables, so existentially quantifying over them 
preserves nonZenoness by Proposition 2. We expect most specifications to be fin [2, 
page 263], so nonZenoness will also be preserved by existentially quantifying over 
the system's internal variables. This is the case for the timed queue. 

3.4 An Example: Fischer's Protocol 

As another example of real-time closed systems, we treat a simplified version of 
a real-time mutual exclusion protocol proposed by Fischer [9], [12, page 2]. The 
example was suggested by Schneider [18]. The protocol consists of each process 
i executing the following code, where angle brackets denote instantaneous atomic 
actions: 

a: await (x =0); 
b: {x := /); 
c: await {x — i); 
cs: critical section 

There is a maximum delay between the execution of the test in statement a and 
the assigimient in statement b, and a minimum delay Sc between the assignment in 
statement b and the test in statement c. The problem is to prove that, with suitable 
conditions on and 8^, this protocol guarantees mutual exclusion (at most one 

process can enter its critical section). 

As written, Fischer's protocol permits only one process to enter its critical section 
one time. The protocol can be converted to an actual mutual exclusion algorithm. 
The correctness proof of the protocol is easily extended to a proof of such an 
algorithm. 

The TLA specification of the protocol is given in Figure 4. The formula 11^ 
describing the un timed version is standard TLA. We assume a finite set Proc of 
processes. Variable x represents the program variable x, and variable pc represents 
the control state. The value of pc will be an array indexed by Proc, where pc[i] 
equals one of the strings "a", "b", "c", "CS" when control in process / is at the 
corresponding statement. The initial predicate Initp asserts that pc[i] equals "a" for 
each process i, so the processes start with control at statement a. No assumption 
on the initial value of x is needed to prove mutual exclusion. 

Next come the definitions of the three actions corresponding to program statements 
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Initp = Vj e Proc : pc{i^ — "a" 
Go{i, u,v) = A pc[i] — u 

A pc'[j] = V 

A Vj € Proc : U # 0 ^ (pc/ij] ^pc[j]) 
Ai = Go{i, "a", "b") A = x' = 0) 

= Go(i, "b", "c") A (x' = 0 
C, = Go(i, "c", "cs") A (x = = 0 
Mf = 3 j e Proc : (Ai v ^, v C,) 
Up = Initp A □[ATfJtx.po 
n'p = A A RT^.^pc) 

A V? G Proc : A VTimeriThUl Bi, A^, {x,pc)) 

A MaxTme(Ti,[i]) 
A V? e Proc : A VTimer(t,[i], Go(i, "c", "CS"), 8„ {x,pc)) 

A MinTime{tc[i], C,, {x,pc)) 

Figure 4: The TLA specification of Fischer's real-time mutual exclusion protocol. 

a, b, and c. They are defined using the formula Go, where Go{i, u, v) asserts 
that control in process / changes from u to v, while control remains unchanged in 
the other processes. Action At represents the execution of statement a by process 
i; actions Bi and C, have the analogous interpretation. In this simple protocol, a 
process stops when it gets to its critical section, so there are no other actions. The 
program's next-state action Afp is the disjunction of all these actions. Formula n p 
asserts that all processes start at statement a, and every step consists of executing 
the next statement of some process. 

Action Bi is enabled by the execution of action Ai . Therefore, the maximum delay 
of Afc between the execution of statements a and b can be expressed by an upper- 
bound constraint on a volatile Ai,-timer for action Bi. The variable T/, is an array 
of such timers, where Tb[i] is the timer for action Bi. 

The constant 8^ is the minimum delay between when control reaches statement c and 
when that statement is executed. Therefore, we need an array tc of lower-bound 
timers for the actions C,. The delay is measured from the time control reaches 
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statement c, so we want tdi] to be a 6^ -timer on an action that becomes enabled 
when process / reaches statement c and is not executed until C, is. A suitable choice 
for this action is Go{i, "c", "cs"). 

Adding these timers and timing constraints to the untimed formula Tip yields 
formula O'^ of Figure 4, the specification of the real-time protocol with the timers 
visible. The final specification, O'^, is obtained by quantifying over the timer 
variables 7], and tc- Since Bj is a subaction of and pc[i] = "c" is disjoint from 
Bj , for all / and j in Proc, Theorem 2 impUes that Tl'p is nonZeno if A^, is positive. 
Proposition 2 can then be applied to prove that (t>'p is nonZeno. 

Mutual exclusion asserts that two processes cannot be in their critical sections at 
the same time. It is expressed by the predicate 

Mutex = V?, j € Proc : (pc[i] — pc[j] — "cs") ^ (i — j) 

The property to be proved is 

Assump A <I>'^ ^ UMutex (8) 

where Assump expresses the assumptions about the constants Proc, A;,, and 5^ 
needed for correctness. Since the timer variables do not occur in Mutex or Assump, 
(8) is equivalent to 

Assump A Tl'p ^ OMutex 

The standard method for proving this kind of invariance property leads to the 
invariant 

A now e R 
A Vj e Proc : 

A nuitcU] G Ru{cx)} 

A pc[i] e {"a", "b", "c", "cs"} 
A (pc[i] = "cs") =J> A X = i 

A Vj € Proc:M7]#"b" 
A (pc[i] = "c") ^ AX^O 

A V; G Proc : (pc[j] = "b") ^ iUi] > mj]) 
A (pc[i] = "b") ^ (ThU] < now +8,) 
A now < Thii] 

and the assumption 

Assump = (0 ^ Proc) A (Afe, (5c € R) A (A^, < 8^) 
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4 Open Systems 



A closed system is solipsistic. An open system interacts with an environment, 
where system steps are distinguished from environment steps. Sections 4.1 and 
4.2 reformulate a number of concepts introduced in [1] that are needed for treating 
open systems in TLA. Some new results appear in Section 4.3. The following two 
sections explain how reasoning about open systems is reduced to reasoning about 
closed systems, and how open systems are composed. 

4.1 Receptiveness and Realizability 

To describe an open system in TLA, one defines an action ix such that ix steps 
are attributed to the system and -"/i steps are attributed to the environment. A 
specification should constrain only system steps, not environment steps. 

For safety properties, the concept of constraining is formalized as follows: if fi is 
an action and n a safety property, then n constrains at most ix iff, for any finite 
behavior si, . . .,s„ and state 5„+i, ii Sx, . . . , s„ satisfies IT and (5„, 5„+i) is a -'jx 
step, then S\, . . .,Sn+\ satisfies FT. The generalization to arbitrary properties of 
constraining at most is fi-receptiveness. Intuitively, n is /x -receptive iff every 
behavior in n can be achieved by an implementation that performs only /x steps — 
the environment being able to perform any -•/x step. The concept of receptiveness 
is due to Dill [8]. The generalization to /i-receptiveness is developed in [1].^ A 
safety property is /i-receptive iff it constrains at most /x. 

The generalization of machine closure to open systems is machine realizability. 
Intuitively, (n, L) is ;U,-machine realizable iff an implementation that performs 
only IX steps can ensure that any finite behavior satisfying n is completed to an 
infinite behavior satisfying FT A L. Formally, (FT, L) is defined to be /i-machine 
realizable iff (n, L) is machine closed and n A L is /i-receptive. For fx equal to 
true, machine realizability reduces to machine closure. 

'^To translate from the semantic model of [1] into that of TLA, we let agents be pairs of states and 
identify an action fi with the set of all agents that are fi steps. A TLA behavior Si,S2, ■ ■ ■ corresponds 
to the sequence i j — ^ .V2 — ^ .V3 — ^ . . . , where a, equals !•,). With this translation, the 
definitions in [1] differ from the ones given here and in the appendix mainly by attributing the 
choice of initial state to the environment rather than to the system, requiring initial conditions to be 
assumptions about the environment rather than guarantees by the system. 
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4.2 The -> Operator 



A common way of specifying an open system is in terms of assumptions and 
guarantees [10], requiring the system to guarantee a property M if its environment 
satisfies an assumption E. An obvious formalization of such a specification is 
the property E ^ M. However, this property contains behaviors in which the 
system violates M and then the environment later violates E. Because the system 
cannot predict what the environment will do, such behaviors cannot occur in any 
actual implementation. A behavior a generated by any implementation satisfies 
the additional property that if any finite prefix of cr satisfies E, then it satisfies M. 
We can therefore formalize the assumption/guarantee specification by the property 
E -> M, defined by: a e E —> M iff a e (E ^ M) and, for every finite prefix 
p of o, if p satisfies E then p satisfies M. If E and M are safety properties, then 
£■ — > M is as well. 

For safety properties, the operator -> is the imphcation operator of an intuitionistic 
logic [3]. Most valid propositional formulas without negation remain valid when 
is replaced by ->, if all the formulas that appear on the left of a -> are safety 
properties. For example, the following formulas are valid if <I> and n are safety 
properties. 

<D -> (n -> *) = (<D A n) -> * (9) 

(o -> *) A (n -> *) = V n) -> * 

For any TLA formulas <I> and IT, the property <I> — > H is expressible as a TLA 
formula. 

4.3 Proving Machine Realizability 

Propositions 1-3, which concern machine closure, have generahzations for machine 
realizability. Proposition 1 is the special case of Proposition 4 in which <I> and ijl 
are identically true. Proposition 3 is similarly a special case of Proposition 5 if 
(true, L2) is machine closed — that is, if L2 is a liveness property. This is sufficient 
for our purposes, since AKis a liveness property. The generalization of Proposition 2 
is omitted; it would be analogous to Proposition 10 of [1]. 

Proposition 4 is stated in terms of /U,-invariance, which generalizes the ordinary 
concept of invariance. A predicate P is a /x-invariant of a formula n iff, in any 
behavior satisfying n, no /U,-step makes P false. This condition is expressed by 
the TLA formula n ^ □[(/i A P) P']p. 
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Proposition 4 If Yl and <i> are safety properties, n constrains at most fx, and L 
is the conjunction of a finite or countably infinite number of formulas of the form 
WF„ {A) and/or SV^ {A), where, for each such formula, 

1. {A)w is a subaction o/ n A 0, 

2. nA<D=;. ^V{A)^^ 

3. if A appears in a formula SFu,(yl), then Enabled {A)ui is a —'jx-invariant 
o/ n A <D, 

then ($ -> n , $ =>■ L) jj jx-machine realizable. 

Propositions If $ and n are safety properties, (O -> 11, Li) and (true, L2) 
are jx-machine realizable, and <!> A H A Li implies L2, then (O -> n, L2) is 
IJb-machine realizable. 

4.4 Reduction to Closed Systems 

Consider a specification E -> M, where E and M are safety properties. We expect 
the system's requirement to restrict only system steps, meaning that M constrains 
at most fx. This impUes that E -> M also constrains at most fx. We also expect 
the environment assumption E not to constrain system steps; formally, E does not 
constrain jx iff it constrains at most —'jx and it is satisfied by every (finite behavior 
consisting only of an) initial state.' 

Suppose E and M have the following form: 

E = V Me]. 

M = Init A □[-■/X V Mm]v 

Then E does not constrain fx and M constrains at most fx. If the system's next-state 
action Mm implies jx, and the environment's next-state action Me implies -"/x, then 
a simple calculation shows that 

EaM = /mf A □[A^£ V A/'m]„ (10) 

Conjunction represents parallel composition, so £ AM is the formula describing the 
closed system consisting of the open system together with its environment. Observe 

'The asymmetry between constrains at most and does not constrain arises because we assign the 
system responsibihty for the initial state. 
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that E A M has precisely the form we expect for a closed system comprising two 
components with next-state actions Me and Mm- 

We can make the inverse transformation from a closed system specification IT to 
the corresponding assumption/guarantee specification E -> M such that FT equals 

E A M, where E does not constrain and M constrains at most fi. This is possible 
because any safety property n can be written as such a conjunction. 

Implementation means implication. A system with guarantee M implements a 
system with guarantee M, under enviroimient assumption £, iff £ -> M implies 
E —> M. When E and M are safety properties, E —> M implies £ — > M iff 
E A M implies E A M. Thus, proving that one open system implements another 
is equivalent to proving the implementation relation for the corresponding closed 
systems. Implementation for open systems therefore reduces to implementation for 
closed systems. 

4.5 Composition 

The distinguishing feature of open systems is that they can be composed. The proof 
that the composition of two specifications implements a third specification is based 
on the following result, which is a reformulation of Theorem 2 of [1] for safety 
properties. 

Theorem 3 If E, Ei, E2,, Mi, and M2 are safety properties and /ii and 1x2 are 
actions such that 

1. El does not constrain /Xi and E2 does not constrain 112, 

2. Ml constrains at most fXi and M2 constrains at most 1x2, 

then the following proof rule is valid: 

E A Ml A M2 =^ El A E2 
(El -> Ml) A (E2 -> M2) =^ (£ -> Ml A M2) 

This theorem is essentially the same as Theorem 1 of [3]; the proof is omitted. 

5 Real-Time Open Systems 

In Section 3, we saw how we can represent time by the variable now and introduce 
timing constraints with timers. To extend the method to open systems, we need 
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only decide how to separate timing properties into environment assumptions and 
system guarantees. An examination of a paradoxical example in Section 5.1 leads 
to the general form described in Section 5.2, where the concept of nonZenoness is 
generahzed. 

5.1 A Paradox 

Consider the two components 77 1 and 772 of Figure 5. Let the specification of 

rJi be Py — > Pjc, which asserts that it writes a "good" sequence of outputs on x 
if its environment writes a good sequence of inputs on y. Let -> Py be the 
specification of 772, so 772 writes a good sequence of outputs on y if its environment 
writes a good sequence of inputs onx. If Pj, and Py are safety properties, then it 
appears that we should be able to apply Theorem 3, our composition principle, to 
deduce that the composite system 77 12 satisfies P^ A Py, producing good sequences 
of values on x and y. (We can define /Xi and 1x2 so that writing on x is a /Xi action 
and writing on y is a 112 action.) 

Now, suppose Pjc and Py both assert that the value 0 is written by noon. These 
can be regarded as safety properties, since they assert that an undesirable event 
never occurs — namely, noon passing without a 0 having been written. Hence, the 
composition principle apparently asserts that 77i2 sends O's along both x and y by 
noon. However, the specifications of 77 1 and 772 are satisfied by systems that wait 
for a 0 to be input, whereupon they immediately output a 0. The composition of 
those two systems does nothing. 

This paradox depends on the ability of a system to respond instantaneously to an 
input. It is tempting to rule out such systems — ^perhaps even to outlaw specifications 
hke these. We show that this Draconian measure is unnecessary. Indeed, if the 
specification of 772 is strengthened to assert that a 0 must unconditionally be written 
on y by noon, then there is no paradox, and the composition does guarantee that a 
0 is written on both x and y by noon. All paradoxes disappear when one carefully 
examines how the specifications must be written. 

To resolve the paradox, we examine more closely the specifications Si and ^'2 of 
77i and 772. For simplicity, let the only possible output actions be the setting of x 

and V to 0. The untimed version of S\ then asserts that, if the environment does 
nothing but set y to 0, then the system does nothing but set x to 0. This is expressed 
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Figure 5: The composition of two systems. 

in TLA by letting 

M, - (x' - 0) A (y' = y) vi ^ x' ^ x 

My = (y' = 0) A (x' = x) 

and defining the untimed version of specification 5i to be 

□[Vl V My](^,,y) -> DHVl V M,](^,,y) (H) 

To add timing constraints, we must first decide whether the system or the environ- 
ment should change now. Since the advancing of now is a mythical action that does 
not have to be performed by any device, either decision is possible. Somewhat 
surprisingly, it turns out to be more convenient to let the system advance time. With 
the convention that initial conditions appear in the system guarantee, we define: 

Af^ 4 A (now' — now) MT^ = MaxTime(T^) 

My = My A (now' = now) MTy 4 MaxTime(Ty) 

= if x 7^ 0 then 12 else oo /ii 4 vj v (noW ^ now) 

Ty 4 if y ^ 0 then 12 else oo 

Ex 4 □[/il VA^j,](;,,y,„OW) 

Ml 4 (now = 0) A □[-/ii V J\f^\^,y,now) A RT^^^y) A MT^ 

Adding timing constraints to (11) the same way we did for closed systems then 
leads to the following timed version of specification . 

(EiAMTy)^Mi (12) 
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However, this does not have the right form for an open system specification because 
MTy constrains the advance of now, so the enviroimient assumption constrains /ii. 
The conjunct MTy must be moved from the enviroimient assumption to the system 
guarantee. Using (9), we rewrite (12) as: 

51 4 £i -> (MTy -> Ml) 

This has the expected form for an open system specification, with an environment 
assumption Ei that does not constrain /xi and a system guarantee MTy -> Mi that 
constrains at most /ii. 

The specification ^2 of the second component in Figure 5 is similar, where 1x2, E2, 
M2, and 52 are obtained from /ii, Ei, Mi, and 5i by substituting 2 for 1, x for y, 
and y for x. 

We now compose specifications S\ and 52- The definitions of Mi and M2 and the 
observation that P -> Q implies P ^ Q yield 

(MT^ V MTy) A (MTy -> Ml) A (MT^ -> M2) ^ Mi A M2 (13) 

The definitions of Mi and M2 and simple temporal reasoning yield 

£ A Ml A M2 ^ E1AE2 (14) 

where 

E = □[Ml V/i2](x,y,now) 

Combining (13) and (14) proves 

E A (MT^ V MTy) A (MTy -> Mi) A (MT^ -> M2) ^ £1 A £2 

We can therefore apply Theorem 3, substituting Ea (MT^ vMTy) for E, MTy -> Mi 
for Ml, and MT^ -> M2 for M2, to deduce 

5i A 52 ^ (Ea {MT, V MTy) -> {MTy -> Mi) A {MT, -> M2) ) 

Using the implication-like properties of ->, this simplifies to 

5i A 52 ^ (E ^ (MTy -> Ml) A {MT^ -> M2)) (15) 

All one can conclude about the composition from (15) is: either x and y are both 
0 when now reaches 12, or neither of them is 0 when now reaches 12. There is no 
paradox. 
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As another example, we replace ^2 by the specification E2 -> M2. This specifi- 
cation, which we call 53, asserts that the system sets y to 0 by noon, regardless of 
whether the enviroimient sets x to 0. The definitions imply 

MTy A E A (MTy -> Ml) A M2 =^ El A E2 

and Theorem 3 yields 

Si A S3 ^ (E -> (MT^ -> Ml) A M2) 

Since M2 implies MJ^., this simplifies to 

5i A 53 =^ (£ ^> Ml A M2) 

The composition of Si and ^3 does guarantee that both x and y equal 0 by noon. 

5.2 Timing Constraints in General 

Our no-longer-paradoxical example suggests that the form of a real-time open 
system specification should be 

£ -> (P -> M) (16) 

where M describes the system's timing constraints and the advancing of now, 
and P describes the upper-bound timing constraints for the environment. Since 
the environment's lower-bound timing constraints do not constrain the advance of 
now, they can remain in E. As we observed in Section 4.4, proving that one open 

specification implements another reduces to the proof for the corresponding closed 
systems. Since E -> (P —> M) is equivalent to (E A P) -> M, the closed system 
corresponding to (16) is the expected one, E A P A M . 

For the specification (16) to be reasonable, its closed system version, E A P A M, 
should be nonZeno. However, this is not sufficient. Consider a specification 
guaranteeing that the system produces a sequence of outputs until the environment 
sends a stop message, where the n"' output must occur by time (n — l)/n. There is 
no timing assumption on the environment; it need never send a stop message. This 
is an unreasonable specification because now cannot reach 1 until the environment 
sends its stop message, so the advance of time is contingent on an optional action 
of the environment. However, the corresponding closed system specification is 
nonZeno, since time can always be made to advance without bound by having the 
enviroimient send a stop message. 
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If advancing now is a action, then a system that controls actions can guarantee 
time to be unbounded while satisfying a safety specification S iff the pair (5, NZ) 
is /i-machine realizable. We therefore take this condition to be the definition of 
nonZenoness for an open system specification S. 

For specifications in terms of 5-timers, nonZenoness can be proved with gener- 
alizations to open systems of the theorems in Section 3.3. The following is the 
generahzation of the strongest of them, Theorem 2. It is applied to a specification 
of the form (16) by substituting £ a P for E. 

Theorem 4 With the notation and hypotheses of Theorem 2, if E and M are safety 
properties such that Tl — E A M, and 

5. M constrains at most jx, 

6. (a) {Ak)v =r' II, for all k e I U J, 
(b) (now' ^ now) =^ /i 

then (E -> M', NZ) is ^.-machine realizable, where 

M' 4 M A RT, A 

"ii € I : MinTimeQi, Ai,v) a y j € J : MaxTimeiTj) 

The proof of Theorem 4, which appears in the appendix, is similar to the proof of 
Theorem 2 sketched in Section 3.3. It uses Propositions 4 and 5 instead of Propo- 
sitions 1 and 3. Since machine realizability implies machine closure. Theorem 2 
follows from Theorem 4 by letting E and ^l equal true and M equal 11. 

Theorem 4 applies to the internal specifications, where all variables are visible. For 

closed systems, existential quantification is handled with Proposition 2. For open 
systems, the generalization of this proposition — the analog of Proposition 10 of 
[1] — is needed. 

6 Conclusion 
6.1 What We Did 

We started with a simple idea — specifying and reasoning about real-time systems 
by representing time as an ordinary variable. This idea led to an exposition that 
most readers probably found quite difficult. What happened to the simplicity? 
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About half of the exposition is a review of concepts unrelated to real time. All the 
fundamental concepts described in Sections 2 and 4, including machine closure, 
machine realizability, and the -> operator, have appeared before [1, 2]. These 
concepts are subtle, but they are important for understanding any concurrent system; 
they were not invented for real-time systems. 

We chose to formulate these concepts in TLA. Like any language, TLA seems 
complicated on first encounter. We believe that a true measure of simplicity of a 
formal language is the simplicity of its formal description. The complete syntax 
and formal semantics of TLA are given in about 1-1/2 pages of figures in [13]. 

We never claimed that specifying and reasoning about concurrent systems is easy. 
Verifying concurrent systems is difficult and error prone. Our assertions that one 
formula follows from another, made so casually in the exposition, must be backed 
up by detailed calculations. We have omitted the proofs for our examples, which, 
done with the same detail as the proofs in the appendix, occupy some twenty pages. 

We did claim that existing methods for specifying and reasoning about concurrent 
systems could be applied to real-time systems. Now, we can examine how hard 
they were to apply. 

We found few obstacles in the realm of closed systems. The second author has more 
than fifteen years of experience in the formal verification of concurrent algorithms, 
and we knew that old-fashioned methods could be applied to real-time systems. 
However, TLA is relatively new, and we were pleased by how well it worked. 
The formal specification of Fischer's protocol in Figure 4, obtained by conjoining 
timing constraints to the untimed protocol, is as simple and direct as we could have 
hoped for. Moreover, the formal correctness proofs of this protocol and of the queue 
example, using the method of reasoning described in [13], were straightforward. 
Perhaps the most profound discovery was the relation between nonZenoness and 
machine closure. 

Open systems made up for any lack of difficulty with closed systems. State-based 
approaches to open systems were a fairly recent development, and we had little 
experience with them. Studying real-time systems taught us a great deal, and 
led to a number of changes from the approach in [1]. For example, we now 
write specifications with — > instead of and we put initial conditions in the 
system guarantee rather than in the environment assumption. Many alternative 
ways of writing real-time specifications seemed plausible; choosing one that works 
was surprisingly hard. Even the simple idea of putting the environment's timing 
assumptions to the left of a — > in the system's guarantee came only after numerous 
failed efforts. Although the basic ideas we need to handle real-time open systems 
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seem to be in place, we still have much to learn before reasoning about open systems 
becomes routine. 

6.2 Beyond Real Time 

Real-time systems introduce a fundamentally new problem: adding physical con- 
tinuity to discrete systems. Our solution is based on the observation that, when 
reasoning about a discrete system, we can represent continuous processes by dis- 
crete actions. If we can pretend that the system progresses by discrete atomic 
actions, we can pretend that those actions occur at a single instant of time, and that 
the continuous change to time also occurs in discrete steps. If there is no system 
action between noon and -s/2 seconds past noon, we can pretend that time advances 
by those V2 seconds in a single action. 

Physical continuity arises not just in real-time systems, but in "real-pressure" and 
"real-temperature" process-control systems. Such systems can be described in the 
same way as real-time systems: pressure and temperature as well as time are repre- 
sented by ordinary variables. The continuous changes to pressure and temperature 
that occur between system actions are represented by discrete changes to the vari- 
ables. The fundamental assumption is that the real, physical system is accurately 
represented by a model in which the system makes discrete, instantaneous changes 
to the physical parameters it affects. 

The observation that continuous parameters other than time can be modeled by 
program variables has probably been known for years. However, the first published 
work we know of that uses this idea, by MarzuUo, Schneider, and Budhiraja [14], 
appeared only recently. 
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Appendix 



A Definitions 

A.l States and Behaviors 

S: The set of all states (assignments of values to variables). 
S*: The set of finite behaviors (finite sequences of states). 
The set of behaviors (infinite sequences of states). 

X: The empty sequence. 

\a\ [for CT e E* U The length of cr. 

a„ [foror e S* U E°° andO < n < |cr|]: Then*'' state in the sequence a. 
a\„ [for (T e E* U and 0 < n < \(x\]: The finite behavior cri, . . . , a„; equal to k 
when « = 0. 

a o s [for cr e E* and s e E]: The finite behavior cti, . . . , 0-1^1, 

(T ~ T [for cr, reE* or cr, reE°°]: cr and t are equal except for stuttering steps 

(repetitions of identical states). 
(T r [for X a tuple of variables and either cr, r e E* or cr, t e E°°]: 
There exist behaviors ct and T such that 
A ff ~ cr and T ~ t 
A |a| = 1^ 

A for every integer n < |ff |, the states ff„ and ^ are equal except for the 
values they assign to the variables of x. 



A.2 Predicates and Actions 

predicate: A subset of S. 

state function: A mapping from S to the set of values. 
action: A subset of E x E . 

transition function: A mapping from S x S to the set of values. 
P' [for P a predicate]: The action {{s, t) : t e P}. 

f [for / a state function] : The transition function such that f'(s,t) = f{t). 
Enabled A [for A an action]: The predicate e S : (3? G cr : {s, t) e A)}. 
[A\ f [for A an action and / a state function] : A V (/' = /) 
(A) f [for A an action and / a state function]: -"[--yl]/ (equals A A (f ^ /)). 
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A.3 Properties 

property: A subset IT of such that for any a, t in if cr ~ r then cr e H 
iff ten. 

□ n [for n a property]: 

The property {cr e cr'^ : (in > 0 : cr„, cr„_,.i, . . . e n)}. 

□ [yl] [for A an action and / a state function] : 

The property {cr e £~ : (Vn > 0 : (cr„, cr„+i) e [yl]/)}. 
O n [for n a property or an action of the form {A)f\. -> □ -> FT 
n ^ <I) [for n and ^ properties]: □(IT =^ OO) 
WFy (A) [for / a state function and A an action]: 

The property (□0(yl)/) v (U<>^Enabled {A)f). 
SFy^(A) [for / a state function and A an action]: 

The property (□0(yl)/) V (<>n-.Enabled {A)f). 
3x : n [for x a tuple of variables and O a property] : 

The property {cr e : (3p e fl : p cr)}- 

A.4 Closure and Safety 

cr 1= n [for cr e E* and n a property]: 

There exists r e Tl and n such that a — t\„. 
C(n) [for n aproperty]: The property {cr e E~ : (Vn > 0 : cr|„ |= U}. 
safety property: A property n such that IT = C(n). 
(n, L) machine closed [for n and L properties]: n = C(n A L) 
$ — > n [for <I> and n properties]: The property consisting of all behaviors o such 

that 

A cr G O implies cr g 11 

A for all n > 0: cr I „ 1= $ implies cr|„ |= H. 

A.5 Realizability 

n constrains at most jJL [for n a safety property and ii an action] : 

For any * G S and p G S* with |p| > 0, if p |= FI and {p\p\, s) ^ fx, then 
p o J 1= n. 

n does not constrain /x [for n a safety property and ix an action] : 

n constrains at most -^fi, and every behavior of length 1 satisfies FI. 

jx-strategy [for fx an action] : A mapping / from S * to S U {J_} such that f (p) ± 
implies (p|p|, /(p)) € fi, for any sequence p G S* with p ^ k. 

O^iif) [for IX an action and / a /^-strategy]: The set of behaviors cr such that 
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A /(A) = (Ti 

A for all n > 0: (cr„,cr„+i) e /x implies cr„+i = /((t|„) 
A for infinitely many n: /(cr|„) = ± or (a„, (T„+i) e ^t. 
C^(/, p) [for an action, / a /x-strategy, and p e E*]: If p = 1 then 0^(f), else 
the set of behaviors a such that 

A T = 0-||T| 

A foralln > |t|: (a„,(r„+i) e /(i implies o-„+i = f(cr\n) 
A for infinitely many n: f((r\„) — _L or (cr„, cr„+i) G /x. 
n is f^-receptive [for n a property and /x an action] : For every behavior cr e 11 there 

exists a /x-strategy / such that a e C^^C/) and 0^(f) c n. 
(n, L) w jx-machine realizable [for n and L properties and /x an action]: 
(n, L) is machine closed and IT A L is /i-receptive. 

B Proofs 

B.l Proof Notation 

We use hierarchically structured proofs. The theorem to be proved is statement 
(0) 1. The proof of statement (/) j is either an ordinary paragraph-style proof or the 
sequence of statements (/ + 1)1, (/ + 1)2, . . . and their proofs. A proof may be 
preceded by a proof sketch, which informally describes the proof. Within a proof, 
{k)l denotes the most recent statement with that number. A statement has the form 

Assume: Assump Prove: Goal 
which is abbreviated to Goal if there is no assumption. The assertion Q.E.D. in 
statement number {/ + \)koi the proof of statement {/) j denotes the goal of state- 
ment (?) j. The statement 

Case: Assump 
is an abbreviation for 

Assume: Assump Prove: Q.E.D. 
Within the proof of statement (?) j, assumption {i) denotes that statement's assump- 
tion, and {i).k denotes the assumption's k*^ item. 

We recommend that proofs be read hierarchically, from the top level down. To read 
the proof of a long level-^ step: (i) read the level- -|- 1) statements that comprise 
its proof, together with the proof of the final Q.E.D. step (which is usually a short 
paragraph), (ii) read the proof of each level- (A: -1-1) step, in any desired order. 
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B.2 Proof of Proposition 2 

Assume: 1. (n, L) is machine-closed. 

2. X a tuple of variables, none of which occurs free in L. 

3. p is a finite behavior satisfying 3x : FT. 

Prove: There exists an infinite behavior t satisfying (3x : FT) A L such that p is 

a prefix of r. 

(1)1. Choose a finite behavior o satisfying n such that o 2:^^ p. 

(2) 1. Choose a behavior 0 such that 0 G 3x : n and p a prefix of 0. 

Proof: Assumption (0).l. 
(2)2. Choose a behavior ■yj/ such that ■yj/ and 0. 

Proof: (2) 1 and the definition of 3x : 11. 
(2)3. There exists an initial prefix a i]/ such that o c^^,. p. 

Proof: xjf ■^^(t> (by (2)2) and p a prefix of 0 (by (2) 1). 
(2)4. Q.E.D. 

Proof: (2)2 and (2)3. 
(1)2. Choose Y] satisfying IT A L such that cr is a prefix of 17. 

Proof: The existence of r follows from (1)1 and assumption (0).l. 
(1)3. Choose r such that r —x V and p is a prefix of r. 

Proof: t exists because cr is a prefix of r] (by (1)2) and cr p (by (1)1). 
(1)4. T satisfies 3x : FT. 

Proof: (1)2, (1)3, and the definition of : n. 
(1)5. T satisfies L. 

Proof: (1)2, (1)3, and assumption (0).2. 
(1)6. Q.E.D. 

Proof: Steps (1)4 and (1)5 imply that t satisfies (3x : Tl) A L, and p is a 
prefix of T by (1)3. 

B.3 Proof of Proposition 3 

Assume: 1. (n, Li) is machine closed. 

2. n A Li implies L2. 
Prove: (n, L2) is machine closed. 
Proof: n = C(nALi) [(0).l] 



c c(nAL2) 
c c(n) 




= n 

This proves that FT = C (FT A 
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B.4 Two Lemmas About Machine-Realizability 

Lemma 1 (O, L) is jx-machine realizable iff for every finite behavior x satisfying 
n, there exists a /x-strategy f such that x \= (/) and (9^ (/) C n A L. 

Proof: This is proved in Proposition 9 of [1]. D 

Lemma 2 (D, L) is fx-machine realizable iff for every finite behavior x satisfying 
n, there exists a jx-strategy f such that O/^if, r) c n A L. 

(1) L Assume: L For all finite r such that t |= H, there exists such that 

a. is a /u--strategy. 

b. C^(/„T)cnAL 

2. p a finite behavior such that p \= Tl. 
Prove: There exists a /^-strategy g such that 

A p N o^ig) 

A 0^(g) C n A L 
(2) 1. Choose g such that, for all cr e S*: 

g(cr) 4 if (cr ^ p|„) A (w < IpI) 

then if (n = 0) v (p„, p„+i) g 
then p„+i 
else ± 

else /jCo"), where J7 is the longest common 
prefix of p and a 

Proof: The requisite exists by assumption (0).2, since p |= IT 

implies 17 |= H, for any prefix 17 of p. 
(2)2. g is a /x-strategy. 

Proof: {0).la and the the definition of g ((2) 1). 
(2>3. O^ig) C HAL 

Proof: Assumption (0). lb, since /c e C^(g) impUesthat/c e Of^if,,, 17), 

where 17 is the longest common prefix of k and p. 

(2)4. p h 

Proof: The definition of g implies that p is a prefix of an element of 

O^ig). 
(2)5. Q.E.D. 

Proof: (2)2, (2)3, and (2)4. 
(1)2. Assume: (n, L) is /^-machine realizable and t |= n. 

Prove: There exists a /i-strategy / such that 0^{f,x) c n A L. 
(2)1. Choose a ^-strategy / such that r e 0^,{f) and C^(/) C n A L. 

Proof: Assumption (2) and Lemma 1. 
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(2)2. O^if, T) c n A L 

Proof: (2) 1.2 and the definition of 0^{f, r). 
(2)3. Q.E.D. 

Proof: (2)1 and (2)2. 
(1)3. Q.E.D. 

Proof: By (1)1, (1)2 and Lemma 1. 



B.5 Proof of Proposition 4 



Let: 



L 



= <i) A n 

= A V/ G / : WF„. (A) 
aVj g J:SK.(Aj) 
Assume: 1. <I> and n are safety properties. 

2. n constrains at most jU-. 

3. / U 7 a finite or countably infinite set, which we take to be a set of 
natural numbers. 

4. For all kin I U J: 

a. {Ak)wt is a subaction of ^. 

b. * □[(A)». ^ i^U 

5. Forall j in J: Enabled {Aj)wj is a -"/i invariant of 
Prove: (<I) -> n, <I> ^ L) is /x-machine realizable. 

By Lemma 2, it suffices to 
Assume: 6. t |= $ -> n 
Prove: There exists a /i-strategy / such that 

Proof sketch: Defining the strategy / is tantamount to constructing a scheduler 
that executes the actions {Ak)wt to satisfy the fairness requirements. Action {Ak)wt 
is never considered until k steps have occurred, so only finitely many actions are 
considered at any point. The next action scheduled is the enabled action that has 
been under consideration for the longest time without having been executed. In 
the event of ties, the lowest-numbered action is chosen. The strategy / will never 
violate and it stops making moves if * is ever made false by the enviroimient. 
In the following definitions, nextact(p) is the k such that the scheduler chooses to 
execute {Ak)wt after the finite behavior p. 
Let: Bk = (A)». 



n = 



lasttime(p, k) — max ({/ : 1 < / < |p| : (p/_i, pi) e S^} U {k}) 
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able{p) — if p — X then the set of naturals 

else {k : p\p\ e Enabled B^} 
oldestlast{p) = imn{lasttime{p,k) : k e able{p)} 

nextactip) = imn[k G able{p) : lasttime{p , k) — oldestlast{p)} 
(1)1. Choose / such that for all p in S*: 
if (ableip) = 0) v (p ^ *) 
then fip) = ± 

else A (p 7^ A.) ^ f{p)) G BnextacKp) 

Apof(p) e * 

Proof sketch: We must show that, for any p, the requisite f{p) exists. 
(2)1. Assume: (able(p) ^ 0) A p ^= * 

Prove: 3jgS: aCp^^A.) (P|p|, j) e Bnextacm 

A p o J € * 

(3)1. Case: p = A, 
Proof: Assumption (2) and the definition of p |= 
(4)1. Case: p 7^ A. 

(5)1. pipi e Enabled B„extacm 
(6)1. nextact(p) e able{p) 

Proof: Assumption (2) and the definitions of nextact and oldestlast. 
(6)2. Q.E.D. 

Proof: Case assumption (4) and the definition of able{p). 
(5)2. Q.E.D. 
Proof: (5)1 and Assumption (0). 4a. 
(4)2. Q.E.D. 
Proof: (3)1 and (4)1. 
(2)2. Q.E.D. 

Proof: The existence of the required / follows easily from (2) 1. 
(1)2. / is a /i-strategy. 

Assume: (p 7^ A) a (/(p) 7^ 1) 

Prove: (Pip,, /(p)) e m 

Proof: (1)1 and assumption (1) imply 

^ (Plph fip)) € Bnextact(p) 
A P o /(p) h * 

and the result follows from (0) .4b. 
(1)3. O^if, r) c (O ^> n) 
Proof sketch: This is a straightforward induction proof; (2) 1 is the base case 
and (2)2 is the induction step. 
(2)1. Assume: a e r) 
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Prove: cr|o |= O -> n 
Proof: cr |o = t|o, and t |= (O -> 11) by assumption {2} and the definition 
oiO^(f,T). 
(2)2. Assume: 1. a g 0^(f, r) 

2. a|, h <!> ^>n 

3. / > 0 
Prove: o-|,+i |= $ -> n 

(3>1. Case: / > |r| 
(4)1. Case: (a,-, (t,+i) ^ 
Proof: Follows easily from assumption (2) .2 and assumption (0) .2, since 
n constrains at most /i implies <I> — > H constrains at most /i. 
(4)2. Case: (a,-, cr,+i) G /i 
(5)1. = /(a|,) 

Proof: Assumption (2).l. 
(5)2. Q.E.D. 

Proof: (5)1, assumption (2) .2, and the else clause in (1) 1 (the defini- 
tion of /). 
(4)3. Q.E.D. 
Proof: (4)1 and (4)2. 
(3)2. Case: / < |r| 
Proof: By assumption (0).6 and assumption (2).l, since / < |t| implies 

(3)3. Q.E.D. 
Proof: (3)1 and (3)2. 
(2)3. Q.E.D. 

Proof: (2)1, (2)2, mathematical induction, and assumption (0).l. 
(1)4. O^if, T) C ($ ^ L) 
Proof sketch: The proof is by contradiction. We define IE and 10 to be the sets 
of indices of actions that should be executed infinitely often and that actually are 
executed infinitely often, respectively. We show that the existence of a ^ in IE 
but not in 10 leads to a contradiction. 
Assume: 1. o- g O^^if, r) 

2. a e ^ 

3. 3k e I U J : a.v k e I Aa ^ WF„,(A) 

b.v k e 7 AO- ^ SF^^iAk) 

Prove: flase 

Let: IE = {i e I : <>n Enabled Bi} U {j e J : UO Enabled Bj] 
10 = {A: G / U y : (a„, cr„+i) G B), for infinitely many n} 
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(2)1. cr G <D A n 

Proof: (1)3 and assumption (l).l, which imply cr e 0 -> IT, and {1)2. 
(2)2. Choose ^ such that 
I. q elE 

1. q^IO 

Proof: Assumption (1).3. 
(2)3. Choose mi such that 
\. m\ > q 

2. Vn >mi : (ffn-u ^ 

3. nil > |t| 
Proof: (2)2.2 

(2)4. Choose m2 such that 

1. m2 > tn\ 

2. Vk e I U J : (k ^ 10) A (k < mO =^ Vn > m2 : (cr„, a„+i) ^ 
Proof: Definition of 10. 

(2)5. Choose m 3 such that 
1. > m2 

l.Wk e lU J : (k e 10) A(k < mO =4- 

3n > m2 : (n < ma) A (a„, (t„+i) e 
Proof: Definition of 10. 
(2)6. Choose m4 such that 

1. m4 > m3 

2. (T„^ G Enabled Bq 

3. (q e I) =^ Vn > m4 : cr„ G Enabled Bq 
Proof: (2)2.1 and the definition of /£. 

(2)7. Vn > m4 : l.A cr„ G Enabled Bq 
2.A (a„_u(r„) ^ II 

Proof sketch: By time m^,, Bq is the next action scheduled for execution. 
Since Bq is never again executed (by (2)3), there can be no further steps. 
Since only a fx step can disable Bq (by assumption (0) .5), Bq must be enabled 
forever. The formal proof is by induction on n; (3) 1 is the base case and (3)2 
is the induction step. 
(3)1. cr„^ G Enabled Bq 

Proof: (2)6. 
(3)2. Assume: 1. o-„ g Enabled Bq 

2. ((r„_i, (r„) i II 

3. n >m4 

Prove: a (t„+i g Enabled Bq 
A (cr„, o-„+i) ^ IX 
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(4)1. (cr„,cr„+i) ^ /x 

Assume: (cr„, cr„+i) g /x 

Prove: flase 

(5)1. V nextact(a\„) = q 

v^kelUJ: A nextact(a\„) = k 

A k < nil A k ^ 10 

A k e able{o\„) 

(6)1. q G able(a\„) 
Assumption (3).l. 
(6)2. Assume: k>mi 

Prove: lasttime((r\„, k) > lasttime(a\„, q) 
Proof: lasttime(a\„, k) > mj by definition of lasttime, and mi > 
lasttime{a\„, q)hy assumption (3).l. 
(6)3. Assume: (k > mi) a {k &I0) 

Prove: lasttime{a\n,k) > lasttime(a\n, q) 
Proof: lasttime(a\„, k) > m2 > miby (2)5,andmi > lasttime(a\„, q) 
by assumption (3).l. 
(6)4. V oldestlast{o\„) = q 

V 3k e I U J : A oldestlast(a\„) — k 
A k < nii A k ^ 10 

A k e able{a\n) 
Proof: (6)1, (6)2, and (6)3. 
(6)5. Q.E.D. 
Proof: (6)4 and definition of nextact. 
(5)2. V (o-„,o-„+i) G Bq 

V 3A; G / U 7 : A (o-„, o-„+i) G Bk 

A k < nil A k ^ 10 
Proof: (5)1, the definition of/((l)l), assumption (4), and assumption 
(l).l, since « > |r| by assumption (3). 3 and (2)3-(2)6. 
(5)3. Q.E.D. 
(6)1. Case: (a„,a„+i) e Bq 
Proof: Contradicts (2)3, since n > mi by assumption (3).3 and 
(2)^(2)6. 

(6)2. Case: 3A; g / U 7 : a (o-„, o„+i) g B^ 

Ak < nil A k ^ 10 

Proof: Contradicts (2)4, since n > m2 by assumption (3). 3, (2)5, 

and (2)6. 
(6)3. Q.E.D. 

Proof: (6)1 and (6)2. 
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(4)2. cr„+i e Enabled Bg 

Proof: Assumption (3).l, (4)1, (2)1, and assumption (0).5. 
(4)3. Q.E.D. 
Proof: (4)1 and (4)2. 
(3)3. Q.E.D. 
Proof: (3)1, (3)2, andmathematicalinduction. 
(2)8. Q.E.D. 

(3)1. V« > m4 : /(a|„) / ± 

Proof: (2)7.1, assumption (l).l, assumption (1).2, and (1)3. 
(3)2. Q.E.D. 

Proof: (3)1 and (2)7.2 contradict assumption (l).l. 
(1)5. Q.E.D. 
Proof: (1)2, (1)3, and (1)4. 

B.6 Proof of Proposition 5 

Assume: 1. <I> and 11 are safety properties. 

2. ($ -> n, Li) is /U, -machine realizable. 

3. (true, L2) is jU--machine realizable. 

4. <I) A n A Li implies L2. 

Prove: (<I> -> n, L2) is /tx -machine realizable. 
(1)1. Assume: p is a finite behavior such that p |= (<I> -> 11). 
Prove: There exists a /i-strategy / such that 

o,(f,p) c (<D ^ n) AL2. 

(2)1. Choose /x-strategy h such that O^ih, p) c (O -> 11) A Li. 

Proof: Assumption (0).2, assumption (1), and Lemma 2. 
(2)2. For all t, choose a /x-strategy gr such that C^Cgr. t^) ^ ^2- 

Proof: Assumption (0).3 and Lemma 2. 
(2)3. Let /(r) = h(r) for r |= O, and otherwise let /(r) = g,(r) where r] 

is the shortest prefix of r such that ?j ^ O. Then / is a /x-strategy. 

Proof: By steps (2)1 and (2)2 (which say that h and are /i- 

strategies). 
(2)4. 0,AJ, p) c (CD ^ n) A L2 

Assume: t g C^(/, p) 

Prove: t e -> n) a L2 

(3)1. Case: r g <D 

(4)1. T e (9^(/i,p) 
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Proof: By assumption (2), since the case assumption (3) 

and the definition of / (step (2)3) imply /(r|„) = /j(t|„) 

for all n. 
(4)2. r G (O -> n) A Li 

Proof: By step (4) 1 and the choice of h (step (2) 1). 
(4)3. T € $An ALi 

Proof: By step (4)2 and case assumption (3). 
(4)4. Q.E.D. 

Proof: By step (4)3 and assumption (0).4. 
(3)2. Case: t ^ <D 

(4) 1. Let n be the least integer such that x\„ ^ 

Proof: Such an n exists by case assumption (3) and as- 
sumption (0).l. 
(4)2. T e C^(g.|„,rU) 

Proof: By step (4)1, assumption (2), and the definition 

of /(step (2)3). 
(4)3. T e L2 

Proof: By steps (4)2 and the choice of g^\^ (step (2)2). 
(4)4. Q.E.D. 

Proof: By steps (4)3 and case assumption (3). 
(3)3. Q.E.D. 

Proof: By steps (3)1 and (3)2. 
(2)5. Q.E.D. 

Proof: By steps (2)3 and (2)4. 
(1)2. Q.E.D. 

Proof: The result follows immediately from step (1)1 and Lemma 2. 
B.7 Proof of Theorem 4 

The proof of Theorem 4 is rather long and is presented in two steps. Section B.7.1 
contains a high-level view of the proof; Section B.7. 2 contains the complete proof, 
omitting definitions and complete subproofs that appear in the high-level view. If 
a formula F is a conjunction, we may number the conjuncts and let F.i denote the 

■th 

I one. 

The proof uses the following two lemmas. 

Lemma 3 (Rule WFl) For any predicates P, Q, and I; actions Af and A; and 
state function f; if 
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1. P A / A /' A {My =^ (P' V 20 

2. P Al Af A(M AA)f ^ Q' 

3. P Al ^ Enabled {A)f. 

then WF/(^) A □/ A □[A/']/ ^ {P Q) 

Proof: This is a simple generalization of rule WFl of [13]; the proof of soundness 
is omitted. 

Lemma 4 For any actions A and B, state function f, variable x, predicate P, 
and property FI; 

1. (a) {Enabled (x' = /)) = true. 

(b) If A and B have no primed variables in common, then 
{Enabled A aB) = {Enabled A) A {Enabled B). 

2. {Enabled A) A {—'Enabled B) {Enabled A A -•B) 

3. {Enabled P A A) = {P A Enabled A) 

4. {Enabled 3x : A) = {3x : Enabled A) 

5. If A ^ B then {Enabled A) =^ {Enabled B). 

Proof: These properties all follow easily from the definitions. 

B.7.1 ffigh-Level Proof of the Theorem 

Let: n ^ EaM 

M' ^ M A RT„ A 

yi € I : MinTime{ti, Ai,v) A Y j € J : MaxTime{Tj) 
W 4 E AM' 

Assume: 0. a. n — Mt a □[A/^]„ for some predicate Init, action Af, and state 
function w. 

b. ti is a timer for 11, for all / in /. 

c. Tj is a timer for IT, for all j in J. 

d. / is a finite set. 

1. {Ai)v and {Aj)^ are disjoint for 11, for all i e / and j e J with i ^ j. 

now 

2. a. does not occur free in I). 

b. {noW — r) A {v' = u) is a subaction of 11, for all r e R. 

3. For all ; G /: 

a. {Aj)y A {noW = now) is a subaction of 11. 

b. n =^ Vnmer{Tj, Aj, Aj, v) OT 

n PTimer{Tj, Aj, Aj, v), where e (0, oo). 
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c. n' ^{Enabled {Aj),, = Enabled {{Aj),, A {noW = now))) 

d. {v' = v) ^ {Enabled {Aj)^ = {Enabled {Aj)^)') 

4. ^ nfe < 7;), for alU e / n J. 

5. E and M are safety properties, and M constrains at most /i. 

6. a. (A>i, /X, for all e / U 7. 
b. {now' ^ now) =^ /x 

Prove: {E -> M', NZ) is /x-machine realizable. 

Proof sketch: We show that a fairness condition WF(„ow,t;)(C) implies that now 
increases without bound, for a subaction (C)(„ow,u) of n', and then apply Proposi- 
tions 4 and 5. To prove that now increases without bound, we prove that now — r 
leads to now > (r + A) for any number r, where A is the minimum of the A^. 
The action C advances now or, if that is impossible because now = Tj for some 
upper-bound timer 7), it performs the action Aj (thereby advancing Tj). 
We begin by naming the next-state relations of the RT^, MaxTime, 
MinTime, VJlmer, and PTimer formulas and defining some actions and predi- 
cates, including C A Bj step is defined to be an Aj step that leaves now unchanged. 
An A'j or B'^ step is an Aj or Bj step that satisfies the lower-bound timing constraint, 
if there is one. The state function T is the smallest Tj that restricts the advance of 
now. 

Let: RTact^ = {{now' G {now, 00)) A {v' — v)'\now 

A 

[now' < t']n„w 
[A^ {t < now)],, 
[A t' = if {Enabled {A)^)' 

then if {A} ^ v -• Enabled {A}^ 
then now + S 
else t 

else 00 

A V' 7^ 

[A t' = if Enabled {A)^ 

then if then now + S 

else t 
else t + {now' — now) 
A {now, v)' {now, u)]{f,„,„ow) 
P; = {j e I) ^ {tj <now) 



RTacty 
MaxTact{t) 
MinTact{t, A, v) 
VTact{t, A,S,v) 



PTact{t, A, S, v) = 



Bj = 



B'j 



{j € /) : 

Aj A {noW — now) 
A'j A (now' — now) 
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T = min{7)- : j e J A Enabled {Aj)y} 
A = min{A^ : j e J} 

NowT = (now' = min(now + A , T)) A (v' = v) 
C 4 V (r 7^ now) A NowT 

V (T = now) A 3j e J : (Tj ^T) A B] 
(1)1. Choose Jp and Jy such that: 

1. J= JpU Jy 

2. Jpnjy^0 

3. V; e /v- : n ^ VTimer(Tj, Aj, Aj, v) 

4. WjeJp-.n^ PTimer(Tj, Aj, Aj, v) 
Proof: Jp and Jy exist by assumption (0) .3b. 

(1)2. =^ D/nv, where 

Inv = l.A Vj & J : Tj & [now, oo] 

2. A now G R 

3. A yj e J : (Enabled {Aj)i, = 

Enabled ({Aj)y A (now' = now)) 

4. A VA; G / n 7 : 4 < Tfe 

5. A Vj G Jy : -^Enabled {Aj)i. ^ (Tj — oo) 

Proof sketch: It follows immediately from the hypotheses that 11' implies 
□/nv.3 and □/nv.4. The proofs for the other conjuncts of Inv are straightforward 
but somewhat tedious invariance proofs, which are omitted. 
(2)1. 7?r„ ^ ninv.l 

(2)2. For all ; G / : n A ninv.2 AMaxTime(Tj) ^ D/nv.l 
(2)3. n' =^ ainv3 
(2)4. n' ^ □/nv.4 
(2)5. n' ^ ninv.5 
(2)6. Q.E.D. 
Proof: (2)1-(2)5. 
(1)3. 1. n = Init A aM 

2. W — Init' A oj\f', for some predicate /njV. 
where 
M = aW]^ 

A Vj G 7p : PTact(Tj, Aj, Aj, v) 
A Vj G 7v : VTact(Tj, Aj, Aj, v) 

M' ^ AM 

A RTacty 

A V? G / : MinTact(ti, At, v) 
A Vj G 7 : MaxTact(Tj) 
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Proof: 1 follows from assumptions (0) .Oa and (0) .3b, and 2 follows from the 
definition of ^^ since □ distributes over A. (A simple calculation shows that 
M — [M]f and J^' — W]g, for suitable tuples / and g, so aM and aj\f' are 
TLA formulas.) 
(1)4. {C)(now,v) is a subaction of n'. 

(2) 1. For all j in 7 : is a subaction of W. 
(2)2. {NowT)now is a subaction of TV . 
(2)3. Q.E.D. 

Proof: By (2)1 and (2)2, since {NowT)now = {NowT)(now,v), {B]), = 
{B'j)(now,v)^ Lemma 4.4 impUes that the disjunction of subactions is a sub- 
action, and Lemma 4.3 implies that if P is a subaction, then P A P is also a 
subaction, for any predicate P. 
(1)5. n' aWF(„,^,,)(C) ^A^Z 

Proof: By the Lattice Rule [13], it suffices to 

Assume: r e R 

Prove: n' a WP(now,v){C) ^ ( (now — r) ^ {now G [r + A , oo)) ) 
Proof sketch: The standard method of proving that now = r leads to now e 
[r + A , oo) is to assume that now — r and now is never in [r + A , oo), and derive 
a contradiction. Step (2)2 below proves that, if now equals r and it is never in 
[r + A , oo), then it is always in [r, r + A). It therefore suffices to assume now 
is always in [r, r + A) and derive the contradiction. 

The contradiction is obtained by showing that eventually there is no upper-bound 
timer preventing the advance of now past r + A. The timers that could prevent 

the advance of now are the ones in the set U of timers that are less than r + A. 
Step (2)4 asserts that U eventually becomes empty, and (2)5 asserts that time 
then advances past r + A. 
Let: V = {j e 7 : 7; < r + A} 

V = {j e 7 : now < 7; < r + A} 

Timer Act = Vj e 7 : v VTact(Tj, Aj, Aj, v) 

V PTact(Tj,Aj, Aj,v) 
(2)1. Inv ^ Enabled {C)(now,v) 
(2)2. n' ^ 

U{{now — r) A U{now e ( — oo, r + A)) U{now e [r, r + A))) 
(2)3. Assume: g 7 

Prove: 1. n' a U{now e [r, r + A)) ^ □((;■ ^U)^a(j ^ U)) 
2. n' A a(now e[r,r + A)) ^ a((j ^ V) ^ a(j ^ V)) 
(2)4. n' A 0(now e[r,r + A)) A WF ^^nowAO Oa(U = 0) 
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(2)5. A n(now G [r, r + A)) 
A a{U - 0) 
A ainv 

A WF(„„vv.„)(C) 

=^ true ^ (now > r + A) 
(2)6. Q.E.D. 
Proof: (2)2, (2)4, (2)5, (1)2, and temporal logic. 
(1)6. (E -> M' , E ^ WF(„ovn,)(C)) is /^-machine realizable. 
(2) 1. M' constrains at most /x. 
(2)2. Q.E.D. 

Proof: We apply Proposition 4, with E substituted for O, M' substituted for 
n, and the single formula WF(„o„, Step (2)1 asserts that M' constrains 
at most jx. The three numbered hypotheses of the proposition are proved as 
follows: 

1. (1)4. 

2. Assumptions (0).6a and (0).6b and the definition of C. 

3. Vacuous. 

(1)7. (true, NZ) is jU- -machine realizable. 

Proof: Assumption (0).6b. 
(1)8. Q.E.D. 

Proof: Proposition 5, using (0).5, (1)6, (1)7, and (1)5. 

B.7.2 DetaUed Proof of the Theorem 

(1)1. Choose Jp and Jy such that: 

1. J = JpL) Jy 

2. Jpr\Jy = 0 

3. VjeJy-.n^ VTimer(Tj, Aj, Aj, v) 

4. WjeJp-.n^ PTimer(Tj, Aj, Aj, v) 
(1)2. n' ^ ainv, where 

Inv = l.A Wj € J : Tj & [now, oo] 

2. A now e R 

3. A Vj € 7 : (Enabled {Aj)^ = 

Enabled ({Aj)y A (now' — now)) 

4. A V)t G / n 7 : 4 < Tfc 

5. A Vj e Jy : -•Enabled (Aj)^, =^ (Tj — oo) 
(2)1. RT, ^ ainv. 2 

Proof: An invariance proof. 
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(2)2. For all j e / : O A ninv.2 AMaxTime{Tj) =^ n/nv.l 

Proof: Assumption {0).0c and an invariance proof. 
(2)3. n'^ainv3 

Proof: Assumption (0).3c. 
(2)4. n' =^ ainvA 

Proof: Assumption (0).4. 
(2)5. n'^ainv.5 

Proof: (1) 1.3, assumption (0).3d, and an invariance proof. 
(2)6. Q.E.D. 
(1)3. 1. n = Init A aM 

2. Tl' — Init' A oj\f', for some predicate Inif. 
where 
M = A [AT],, 

A V; e 7p : PTact{Tj, Aj, Aj, v) 
A Vj € 7v : VTact(Tj, Aj, Aj, v) 

M' ^ AM 

A RTacty 

A V/ e / : MinTactiti, Ai, v) 
A Vj G / : MaxTactiTj) 
(1)4. {C)(now,v) is a subaction of n'. 

(2) 1. For all j in J : (^j)„ is a subaction of IT'. 
Assume: j e J 

Prove: =^ □ ( Enabled {B'j), ^ Enabled {{B'j), aN') ) 
(3)1. n ^ a {Enabled {{B'^, AM) 

Enabled (a {B]),aM 

A V/ e / - {j} : -((A)„ A {Aj), AM))) 
(4)1. n ^ ^Enabled (3? e / - {;} : (A)« A {Aj)y A M) 

Proof: (1)3.1, assumption (0).l, and Lemma 4.4. 
(4)2. Q.E.D. 

Proof: Lemma 4.2, substituting (^j)„ A M fox A and 3/ e /-{;'} : 
{Ai), A {Aj),AM fovB. 
(3)2. A {B]),aU' 

aV/ el -{j}:^{{Ai),A{Aj),AM) 
= A {B'),aM 

AV/ &I -{j]:^{{Ai),A{Aj),AM) 
Proof: a {B]),aM' 

A V/ € / - {j} : -((A). A (yl,)„ A M) 
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= [by definition of 

A A'j A (v' v) A (noW — now) A J^' 
A Vj G / - [j] : -((A). A (Aj), A M) 

— [by definition of Af'] 

A A'j aM A (v' ^ v) A (now' — now) 

A Vj e / : Ai =^ (ti < now) 

A Vj G / - [j} : -((A). A {Aj), A M) 

— [by definition of A'j] 

A Pj aAjaMa {v' i^v) a now' — now 

A V/ G / : Ai =^ (ti < now) 

A Vj G / - [j] : -^{Ai AAjAMAiv'^ v)) 

— [by predicate logic] 

A Pj aAjaMa (v' v) a (now' — now) 

A 0' e I) ^ (tj < now) 

A V? G / - {j] : -^(Ai aAjAMa (v' # v)) 

— [by definition of {Ak)v and M] 

A Pj aAjAMa (v' i^v) a (now' — now) 

A G /) ^ (tj < now) 

A Vj G / - {]] : -((A). A [Aj], A M) 

— [by definition of Pj] 

A Pj a Aj a (v' ^ v) a (noW = now) A M 
AWi s I -{j}:^({Ai),A{Aj),AM) 

— [by definition of 
A {B'j),aM 

aV/ e I -{j}:^({Ai),A{Aj),AM) 
(3)3. n □ ( Enabled ({B'j), aM)^ Enabled ({B'j), A N') ) 

Proof: (3)1, (3)2, and Lemma 4.5. 
(3)4. n =^ n(Pj A Enabled (Bj)^ =^ Pj A Enabled ({Bj}^ A M)) 

Proof: (1)3, Assumption (0).3a, and the definition of Bj. 
(3)5. n ^ □ ( (Enabled {B'j),) =^ Enabled ({B'j), A M) ) 

Proof: (3)4, the definition of Bj, and Lemma 4.3. 
(3)6. n =^ ^((Enabled (B'j),) ^ Enabled ({B'j),aW)) 

Proof: (3)5 and (3)3. 
(3)7. Q.E.D. 

Proof: (3)6 and the definition of TV, which impUes TV ^ TI. 

(2)2. (NowT)now is a subaction of 11'. 

(3)1. n' ^ a ((Enabled (NowT)„„„) ^ 

(Enabled ({NowT)now A M)) ) 
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(4)1. n' ^ U {{Enabled NowT) ^ {Enabled {NowT A M)) ) 
Proof: (1)3, assumption (0).2b, and the definition of NowT, since 
implies FI. 

(4)2. Q.E.D. 

Proof: (4) 1 and Lemma 4.3, substituting now ^ TforP (since {NowT)noi 
equals NowT A {now ^ T)). 
(3)2. ^ ^{Enabled {{NowT)„ow ^ M) ^ 
Enabled {(NowT)„o^, A M')) 
(4)1. {Inv A {NowT)„o,, A M) ^ {{NowT)„ow A A^') 
(5)1. Inv A {NowT)now ^ RTact^ 

Proof: (1)3 (/nv.l and/nv.2). 
(5)2. V/ G / : {NowT)„o„ ^ MinTact{ti, Ai, v) 
Proof: MinTact{ti, Ai,v) — [...]„, and {NowT)now implies 
v' — V. 

(5)3. e J : Inv a {NowT)now MaxTact{Tj) 
Assume: I. j e J 

2. Inv A {NowT) now A M 
Prove: MaxTact{Tj) 

(6)1. Case: Enabled {Aj)y 
(7)1. noW < Tj 

Proof: Inv. I, Inv. 2, (NowT) now, and the definitions of NowT, 
since case assumption (6) and the definition of T imply Tj > T. 
(7)2. Case: j e Jp 
(8)1. Case: TJ = Tj 

Proof: (7) 1 and the definition of MaxTact{Tj). 
(8)2. Case: TJ^now+Aj 

Proof: Inv.2, {NowT)now, and definition of MaxTact{Tj). 
(8)3. Q.E.D. 

Proof: (8)1, (8)2, and case assumption (7), since case assump- 
tion (6) and the definition of PTact{Tj, Aj, Aj, v) imply that 
these are the only possibilities. 

(7)3. Case: ; e Jy 

(8)1. Tj = t; 

Proof: Case assumption (7) and the definitions of M and 
VTact{Tj, Aj, Aj, v), since {NowT)^ implies v — v'. 
(8)2. Q.E.D. 

Proof: (7)1, (8)1, and the definition of Max7ac?(7;). 
(7)4. Q.E.D. 
Proof: (7)2, (7)3, (1)1.1, and assumption (5).l. 
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(6)2. Case: -'Enabled {Aj)y 

(7) 1. now, noW e R and noW > now. 

Proof: Inv.l, Inv.2, {NowT)now, and the definition of T. 
{1)2. Case: ; G Jp 
(8)1. T! >now' 
Proof: (7) 1, case assumption (7), Inv.l, and the definitions of 
M and PTact(Tj, Aj,Aj,v). 
(8)2. Q.E.D. 
Proof: (8)1 and the definition of MaxTact{Tj). 
(7)3. Case: ; e Jy 
(8)1. Tj^oo 

Proof: By case assumption (7) and Inv.5. 
(8)2. T!^oo 

Proof: (8)1, case assumption (7) , and the definitions of M and 
VTact{Tj, Aj, ^^i.j,v), since {NowT)^ implies 

V = v'. 
(8)3. Q.E.D. 

Proof: (7)1, (8)2, and the definition of Ma;crart(r^). 
(7)4. Q.E.D. 
Proof: (7)2, (7)3, (1)1.1, and assumption (5).l. 
(6)3. Q.E.D. 
Proof: (6)1 and (6)2. 
(5)4. Q.E.D. 
Proof: (5)1, (5)2, (5)3, and the definition of A/'^ 
(4)2. Q.E.D. 

Proof: (4)1 and (1)2, since by Lemma 4.3 and Lemma 4.5, InvAV =^ £ 
implies D/nv =^ ^{{Enabled V) =>■ {Enabled £)), for any actions V 
and £. 
(3)3. Q.E.D. 
Proof: (3)1 and (3)2. 
(2)3. Q.E.D. 
(1)5. n' AWF(„„„,„)(C)=^iVZ 
Assume: r g R 

Prove: n' a WF(„om',«)(C) ^ {{now = r)-^ {now e{r + A,oo))) 
Let: U = {j e 7 : 7; < r + A} 

V = {j € 7 : now < 7; < r + A} 

TimerAct = Vj e 7 : v VTact{Tj, Aj, Aj, v) 

V PTact{Tj,Aj, Aj,v) 
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(2)1. Inv =^ Enabled {C)(„ow,v) 
(3)1. Case: T ^now 

Proof: By the definition of C, since case assumption (3) implies Enabled (NowT) 
(3)2. Case: T = now 

(4)1. Choose j € J such that (Tj = T) A Enabled {Aj)y. 

Proof: Inv.2, case assumption (3), and the definition of T. 
(4)2. Enabled {Bj)^ 

Proof: (4) 1, Inv3, and the definition of {Bj)^. 
(4)3. Enabled (B'j), 

Proof: (4)2, InvA, case assumption (3), and the definition of (^j)„. 
(4)4. Q.E.D. 

Proof: Case assumption (3), (4)3, and the definition of C. 
(3)3. Q.E.D. 
Proof: (3)1 and (3)2. 

(2)2. ^ 

n({now — r) A n(now e ( — oo,r + A)) =^ n{now e [r,r + A))) 
(3)1. a[RTact^,]„ow =^ ({now — r) ^ n{now G [r, oo))) 

Proof: A standard invariance argument. 
(3)2. a[RTact^]now ^ □((now - r) ^ a{now e [r, oo))) 

Proof: (3)1 and simple temporal logic. 
(3)3. n' n((now = r) ^ □(r < now)) 

Proof: (3)2, since ^ RT^ and RT^ =^ a[RTactMow 
(3)4. Q.E.D. 
Proof: (3)3, using the temporal logic tautology 

(F-^ G)^ ({F A OH) ^ (G A OH)) 
(2)3. Assume: j e J 

Prove: 1. a □(now e [r, r + A)) ^ □((7 ^U)^a(j ^ u)) 
2. W A n(now e[r,r+ A)) =^ □((; ^ V) ^ a(j ^ V)) 
Proof: A standard invariance proof, using assumption (0).3b. 
(2)4. n' A □(now G [r, r + A)) A WF(now,v)(C) ^ On(U = 0) 
Proof sketch: The set V consists of those timers in U that are not equal 
to now. To prove that U is eventually empty, we show that, whenever U is 
nonempty, eventually U or V gets smaller Since U and V are finite, U must 
eventually become empty. 
(3)1. Assume: Uo and Vo sets, with Uo # 0. 
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Prove: a □((f/ c Uq) a (y c Vq)) 
A □ (now e[r,r + A)) 
A ainv 

A n[TimerAct\„ow,v) 
A WF(„«„,„)(C) 

^ (([/ - A (y - Vo)) ^ 

([/ c t/o) V iiu c t/o) A (y c y,)) 

Proof sketch: This is a straightforward application of rule WFl (Lemma 3), 
with the following substitutions. 
Let: / = La now e [r, r + A) 

2. A (U C Uo) A (y C Vo) 

3. A Inv 

p = (u = Uo)A(v = y,) 

Q ^ (u c Uo) V ((f/ c f/o) A (y c yo)) 

A/" = TimerAct 
A ^ C 

(4)1. /'=^(p've') 

Proof: Obvious. 
(4)2. Assume: P a I a r a{M aA)/ 
Prove: Q' 
(5)1. Case: r =now 

(6)1. Choose in / such that (Tj = T) A (^j)„. 

Proof: A and case assumption (5). 
(6)2. T!>r + A 

Proof: (6) 1, /. 1, the definition of B'j, and TimerAct. 
(6)3. j eUAj ^U' 

Proof: (6)1, case assumption (5), and 1. 1. 
(6)4. ^ U' 

Proof: (6)2. 
(6)5. Q.E.D. 
Proof: (6)3, (6)4, and I'. 2. 
(5)2. Case: T 7^ now 
(6)1. (now' = r) A (v' - v) 

Proof: A and case assumption (5). 
(6)2. Case: T e (now, r + A) 

(7)1. Choose j in 7 such that (Tj = T) A Enabled {A)y. 
Proof: Case assumption (6) and the definition of T. 
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(7)2. V T! = noW 

V 7^.' e [r + A , oo] 
Proof: (6)1, (7)1, 7.1, and TimerAct. 

(7)3. i e V 

Proof: (7) 1, case assumption (6), and the definition of V. 
(7)4. ^ V 

Proof: (7)2 and the definition of V. 
(7)5. Q.E.D. 

(7)3, (7)4, and I'. 2. 
(6)3. Case: r e [r + A, oo] 

Proof: Impossible by (6)1 and /'.I. 
(6)4. Q.E.D. 
Proof: (6)2, (6)3, 7.3.1, and case assumption (5). 
(5)3. Q.E.D. 
Proof: (5)1 and (5)2. 
(4)3. P Al ^ Enabled {A)f 

Proof: (2)1. 
(4)4. Q.E.D. 
Proof: (4)1, (4)2, (4)3, and Lemma 3. 
(3)2. Assume: Uo and Vq sets, with Uo / 0. 

Prove: n' a □(now e [r, r + A)) a WF(„ow,v)(C) ^ 
aU = Uo) A(V= Vo)) ^ 

((U C Uo) V ((U C Uo) A(VC Vo))) 

(4)1. n' ^ □(([/ c t/o) A (y c Vo) ^a({u^ Uo) A (y c Vo))) 

Proof: Follows from (2)3. 
(4)2. Q.E.D. 

Proof: (3)1, (4)1, and (1)2, since Tl' =^ a[TimerAct](now,v) by assump- 
tion (0).3b. 
(3)3. Q.E.D. 

Proof: Since U and V are finite by assumption (0) .Od, it follows from (3)2 
and the Lattice Rule [13] that A n{now e [r,r + A)) A y^(„ow,v)iC) 
implies <>(U = 0). By (2)3, W A n(now e [r,r + A)) implies <>(U = 

id) ^ Oa(u ^0)- 
(2)5. A n{now e [r, r + A)) 
A a{U - 0) 

A ainv 

A WF(„«„,„)(C) 

^ true ^ (now > r + A) 
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Let: / 4 i.a f/ = 0 

2. A now e [r, r + A) 

3. A Inv 
P = true 

Q = now > r + A 
M = true 
A ^ C 

f = (now, v) 
(3)1. / A /'A [AT]/ ^ (P' V e') 

Proof: Immediate, since P' — true. 
(3)2. Assume: P a I a I' a {M a A)f 
Prove: Q' 
(4)1. r G [r + A, oo] 

Proof: By /. 
(4)2. {NowT)no.- 

Proof: By (4)1, 7.2, and ^. 
(4)3. Q.E.D. 
Proof: (4) 1, (4)2, and the definition of NowT. 
(3)3. P A / ^ Enabled {A)f 

Proof: (3)1. 
(3)4. Q.E.D. 
Proof: (3)1, (3)2, (3)3, and Lemma 3. 
(2)6. Q.E.D. 

(1)6. (E -> M' , E ^ WF(„ovy is /x-machine realizable. 
(2) 1. M' constrains at most /x. 
(3) 1. M constrains at most /i. 

Proof: Assumption (0).5. 
(3)2. RTy constrains at most fi. 

Proof: Assumption (0).6b. 
(3)3. For all i in /, MinTime{ti, At, v) constrains at most /i. 
Proof: By definition of MinTime, a step violates MinTime{ti, At, v) only if 
it is an (yl, )„ step, so this follows from Assumption (0).6a. 
(3)4. For all j in J, MaxTime(Tj) constrains at most jx. 

Proof: Assumption (0).6b. 
(3)5. Q.E.D. 
Proof: (3) l-(3)4 and the definition of M' . 
(2)2. Q.E.D. 
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(1)7. (true, NT) is jU- -machine realizable. 
(1)8. Q.E.D. 
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